browser vendors and CAs agreeing on high-assurance certificates

[Anne & Lynn Wheeler]

Steven M. Bellovin wrote:
> The article is a bit long-winded and short on details, but the basic 
> message is simple: too many CAs have engaged in a price- and 
> cost-driven race to the bottom; there are thus too many certificates 
> being issued that aren't really trustworthy.  A group of CAs and 
> browser vendors have been meeting; they've agreed on a set of standards 
> for certificates that represent more checking by the CA.  Browsers will 
> be enhanced to display a different sort of notification -- for IE, a 
> green address bar.  

but this is consistent with my comments that as the offline market
segment ... which was the original design point for certification
authority ... starts to disappear ... as the internet becomes more and
more ubquitous; then certification authorities have moved into the
no-value market segment; aka that market segment that still couldn't
justify either

1) cost of having thier own local repository of communicating entities
(even as cost of local computing and storage was rapidlty dropping)

and/or

2) even the drastically dropping cost of internet online operations
couldn't be cost justified for whatever it was that they were doing.

this gets into rapidly downward spiral ... since was they moved more and
more into the no-value market segment ... what the certification
authorities were able to charge customers dropped ... as they lost price
elasticity in what they could charge ... the revenue flow for supporting
internal infrastructure and operation would start to dry up.

the other long standing comment with regard to original ssl domain name
certificates was that this supposedly stacked out the e-commerce trust
model. when we initially tried to set more stringent requirements for
what could be checked as the basis for providing e-commerce trust ... we
ran into strong bi-model environment

1) the majority of e-commerce transactions were done with a few widely
known sites and/or sites that the client had repeatedly transacted with
before. as a result, there were a large number of other trust vehicles
and the these merchants felt it was not necessary to pay a large amount
for significant certificate-based trust operation ... since their trust
was being established by a wide-range of other mechanisms.

2) the vast majority of e-commerce sites did very few number of
transactions each. this was the market segment involving e-commerce
sites that aren't widely known and/or represents first time business. it
is this market segment that is in the most need of trust establishment;
however, it is this market segment that has the lowest revenue flow to
cover the cost of creating a trust value.

there is actually a third issue for the vast numbers of low traffic
e-commerce merchants ... the lack of trust can be offset by risk
mitigation. it turns out that this market segment where there is
poissble litte reason for the customer to trust the merchant has had a
trust issues predating the internet ... at least going back to the
introduction of credit financial transactions. as opposed to trust, risk
mitigation was addressed in this period with things like reg-e and the
customer having a high level of confidence that disputes tended to
heavily favor the customer. this characteristics of risk mitigation, in
lieu of trust, then carried over into the internet e-commerce relm.

somewhat as a result, the certification authorities weren't willing to
insure and/or provide any guarantees ... and the e-commerce merchants
weren't willing to pay certification authorities for such risk
mitigation ... since they were already paying the financial institutions
for such risk mitigation ... and there was no point in having redundant,
superfluous, duplicated and/or replicated overhead costs.

so that effectively left the certification authorities (of the period)
providing sense of confidence and trust ... not in the entity that
clients were dealing with ... but purely some incremental sense of
confidence that the URL that clients had typed in, was really getting
them to the website that they thot they thot they were getting to. part
of the problem here, was that there were extremely few fraud incidents
involving people typing in a URL and getting redirected to a site other
than the site indicated by the URL (the incremental trust value
represented by having certificate-based certified information from a
certification authority).

Even this exploit/countermeasure scenario was subverted when merchants
decided that SSL was too expensive for the general shopping experience
... and was only needed for checkout/paying. In that emerging model
(that is now widely prevalent), the merchant site provided a
click-button that automatically generated the URL ... along with a
certificate matching the URL. There was no longer checking of the URL
provided by the customer ... there was only a certificate provided by
the merchant that validated a URL provided by the merchant.

most of the sense of trust ... and/or at least a sense of well-bounded
risk in e-commerce was provided by mechanisms that had predated internet
e-commerce. the websites that had the lowest amount of trust (not widely
known and/or repeat business; aka unknown, first time business) were the
ones that could the least afford expensive certification process.

certification authorities were trying to 1) use a mechanism originally
designed to provide trust in a offline environment which was a repidly
disappearing market segment, 2) primarily provide incremental trust in a
market segment that already had several well-established trust
mechanisms ... which left them a very bounded market niche which didn't
actually justify large revenue. The possible incremental trust and/or
sense of safety provided by certification authorities was pretty well
bounded in the environment ... and the market segment that had the
highest need for incremental trust and sense of safety was the market
segment with the lowest revenue flow per website.

a secondary factor was the certification authority price structure was
effectively flat rate to all merchants. the trust and safety model from
the financial infrastructure was much better business structured model.
the financial infrastructure effectively provided insurance on every
transaction ... the customer had a much, much higher sense of safety ...
and the cost to the merchant was strictly proportional to their revenue.
with the financial infrastructure already in the sense of safety market
segment ... with effectively a product that had a significantly better
business structure for both customers and merchant ... that
significantly narrowed the trust&safety market segment opened to
certification authorities.

some misc past posts about certification authorities migration into the
low/no value market segment
http://www.garlic.com/~lynn/aadsm12.htm#26 I-D
ACTION:draft-ietf-pkix-usergroup-01.txt
http://www.garlic.com/~lynn/aadsm12.htm#27 Employee Certificates -
Security Issues
http://www.garlic.com/~lynn/aadsm12.htm#52 First Data Unit Says It's
Untangling Authentication
http://www.garlic.com/~lynn/aadsm12.htm#55 TTPs & AADS (part II)
http://www.garlic.com/~lynn/aadsm13.htm#14 A challenge (addenda)
http://www.garlic.com/~lynn/aadsm16.htm#22 Ousourced Trust (was Re:
Difference between TCPA-Hardware and a smart card and something else before
http://www.garlic.com/~lynn/aadsm17.htm#53 Using crypto against
Phishing, Spoofing and Spamming
http://www.garlic.com/~lynn/aadsm21.htm#24 Broken SSL domain name trust
model
http://www.garlic.com/~lynn/2002p.html#22 Cirtificate Authorities 'CAs',
how curruptable are they to
http://www.garlic.com/~lynn/2004b.html#52 The SOB that helped IT jobs
move to India is dead!
http://www.garlic.com/~lynn/2004e.html#20 Soft signatures
http://www.garlic.com/~lynn/2004i.html#2 New Method for Authenticated
Public Key Exchange without Digital Certificates
http://www.garlic.com/~lynn/2005k.html#29 More Phishing scams, still no
SSL being used
http://www.garlic.com/~lynn/2005k.html#60 The Worth of Verisign's Brand
http://www.garlic.com/~lynn/2005l.html#1 The Worth of Verisign's Brand
http://www.garlic.com/~lynn/2005l.html#23 The Worth of Verisign's Brand
http://www.garlic.com/~lynn/2005o.html#40 Certificate Authority of a
secured P2P network

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com