Is cryptography where security took the wrong branch?

Eric Rescorla ekr at rtfm.com
Sun Sep 7 15:46:17 EDT 2003


Ian Grigg <iang at systemics.com> writes:

> Eric Rescorla wrote:
> ...
> > > The other thing to be aware of is that ecommerce itself
> > > is being stinted badly by the server and browser limits.
> > > There's little doubt that because servers and browsers
> > > made poorly contrived decisions on certificates, they
> > > increased the overall risks to the net by reducing the
> > > deployment, and probably reduced the revenue flow for
> > > certificate providers by a factor of 2-5.
> > I doubt that. Do you have any data to support this claim?
> 
> Sure.  SSH.
That's not data, it's an anecdote--and not a very supportive one
at that. As far as I know, there isn't actually more total
SSH deployment than SSL, so you've got to do some kind of 
adjustment for the total potential size of the market, which
is a notoriously tricky calculation. Do you have any actual
data or did you just pull 2-5 out of the air?

> It's about take up models.  HTTPS'
> model of take-up is almost deliberately designed
> to reduce take-up.  It uses a double interlocking
> enforcement on purchase of a certificate.  Because
> both the browser and server insist on the cert
> being correct and CA-signed and present, it places
> a barrier of size X in front of users.
I don't know where you got the idea that the server insists on cert
correctness. Neither ApacheSSL nor mod_SSL does.

> Instead, if there were two barriers, each of half-X,
> being the setup of the SSL server (a properly set
> up browser would have no barrier to using crypto),
> and the upgrade to a CA-signed cert, then many more
> users would clear the hurdles, one after the other.
Maybe, maybe not. You've never heard of price inelasticity?

The fact of the matter is that we have no real idea how
elastic the demand for certs is, and we won't until someone
does some real econometrics on the topic. Unless you've
done that, you're just speculating.

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list