why are CAs charging so much for certs anyway? (Re: End of the line for Ireland's dotcom star)

[Ed Gerck]

Yes, there is a good reason for CAs to charge so much for certs.
I hope this posting is able to set this clear once and for all.

  FOREWORD: It's often said that a good lawyer should be able to argue
  both sides of an issue... Though I am not a lawyer, I believe it is
  instructive to see things from all perspectives. My answer may help see
  things from the CA side and IMO does not contain any exaggeration.

Of course, to properly answer the question I would need to write a
CA Business Plan, which should contemplate the various pros, cons,
pricing, and contingency plans. However, without daring to use much
time in such a dubious endeavor, let me just briefly discuss the CA
business model in order to better motivate the pricing strategy answer.

1. Product Liability to Clients: Zero.

 CAs provide certificates that have zero content, zero warranties,
 zero assurances and, hence, zero liability under any law system.
 This is a very good point for CAs, and it is difficult to imagine a
 legal business that could get to so close to this goal. Perhaps,
 chiromancy with consenting adults over a phone line could
 be similar, but with a lesser market.


2. Contract Liability to Users: Zero.

 Since the certificate's users (ie, historically known as the
 relying-parties) are not the ones that paid for the certificate to
 the CA (ie, the certificate was paid for by the subscriber), this
 means that the CA has no responsiblity or contractual obligation
 whatsoever to the certificate's users, hence zero liability.


3. After-Sales Support: Almost Zero.

 This is also a very good point. There is no maintenance, set-up,
 compatibility or other post-sales questions to worry about. The
 product also self-destructs so to say after a period of usually one
 year, so there is not even a marginal need to maintain compatible
 systems for diagnosis after one year. Regarding the eventual need to
 revoke a certificate, here we are forced to say that after-sales
 support is "almost zero". However, that is not a serious issue
 because certificate revocation has also no warranties or assurances,
 hence this freely provided service has no liabilities or obligations
 to the CA, not even to be expedite.


4. Product Recall: Zero.

 The subscriber cannot send back an issued certificate and decide to
 cancel his order because the certificate does not work on the new
 Gizmo v4.0 or equivalent browser, or just because it does not like
 it any more. Once the product is sold, the revenues are liquid.


5. Technical Regulation: Almost Zero.

 Certificates are technically regulated by X.509 but X.509 is very
 tolerant on almost all issues except purely syntatic issues which
 are handled blindfolded by software. Further, CAs can issue their
 very own operating laws (CPS - Certificate Practice Statement)
 according to their needs and profit rules. They can define all their
 operating parameters.


6. Legal Regulation: Almost Zero.

 The CA's CPS must be accepted by the client and the CA can change it
 at will, at any moment. Legislation, such as Illinois', already
 consider such self-made laws as legally binding in lieu of any
 legislation's mandated procedures (see a typical CA CPS).


7. Legal Mandatory Use: Possible.

 This is a very positive point for CAs. Legal initiatives may make it
 mandatory to use CAs (eg, TTPs) in order to allow certificates to be
 deployed. So, CAs would have captive markets in this positive
 scenario and the client would not be able to decide not to use a CA.


8. Matched Sales: Strongly Enforced.

 A CA can reach profitable agreements with a wide array of partners,
 such as financial agents, software producers, content providers,
 etc., in order to render its certificates strongly matched to the
 partner's products or services. This is easily cryptographically
 guaranteed and sounds reasonable when explained to customers. For
 example, software producer ACME can easily decide that its product
 Gizmo will only accept plug-ins signed by a specific CA -- allowing
 several legal avenues for matched sales.


9. Product Price: At Will.

 There is no reference in price for an array of 2 Kbytes. It can
 range from $5.00 to $500.00 or beyond. Since the market also has to
 accept matched sales as a natural procedure in this case, it is not
 difficult to organize different product classes so that essentially
 the same array of 2 Kbytes can have very profitable margins for
 high-end (ie, expensive) applications.


10. Insurance: Paid By The Client.

 To cover for those few cases where the CA could still be liable (ie,
 gross negligence, employee collusion, fraud, etc.) to its clients,
 it is accepted to ask for the client to pay for insurance against
 the CA's acts. Since the users have no coverage (they are not part
 of the contract and they are not considered innocent bystanders as
 with car accidents), such insurance will need to cover only the
 client.


PRO SUMMARY: CAs make very good sense as businesses, shareholder's
risk is low and the activities are essentially unregulated. Further, future
legislation cannot impose more burdens because it would be technically
unwarranted.

CON SUMMARY: Of course, the problems of e-commerce are not solved
by the CA business model and the so-called relying-parties must rely on
themselves. Which might point out to a possible technology change over if
such market forces gain momentum, possibly also after a stage of apparent
condescendence.

PRICING STRATEGY: CAs should keep their prices high and find ways
to add price to current products (eg, offering insurance, different
certificate classes, benefits for CRL access, etc.) -- because the potentially
difficult mid-term future of such business impose the need for a large
ROI in a short time. This is probably not a long-term business activity.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com