why are CAs charging so much for certs anyway? (Re: End of the line for Ireland's dotcom star)

[Peter Gutmann]

Ed Gerck <egerck at nma.com> writes:

>PRICING STRATEGY: CAs should keep their prices high and find ways to add
>price to current products (eg, offering insurance, different certificate
>classes, benefits for CRL access, etc.) -- because the potentially difficult
>mid-term future of such business impose the need for a large ROI in a short
>time. This is probably not a long-term business activity.

Actually there's a second aspect to this as well: Verisign's managed PKI
services.  The idea here is that since PKI (specifically, the X.509 PKI model)
is too hard for any normal person or organisation to handle, you charge people
an enormous amount of money to run their PKI for them.  You end up talking to
a Verisign cloud that acts as an authorisation oracle ("Is this thing OK?" -
"Yep, go ahead"), although exactly why you need a PKI for this rather than
(say) a basic challenge-response protocol to query the cloud is unclear (maybe
it's a fashion thing, or an in-joke that no-one's let me in on).  As a
moneymaking racket, it's second only to the "make the browser warning dialogs
go away" one: First you create an unworkable PKI design (although Verisign
didn't do that, they're just taking advantage of it), then you charge people
buckets of money to run it for them (and in terms of money-earners, it leaves
the $495 server certs in the dust - it's sort of like a PKI-DNS service,
except that you pay 5-6 figure sums for your name/key registration).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com