[Cryptography] Certificates and PKI
iang at iang.org
Mon Dec 29 12:24:34 EST 2014
On 25/12/2014 03:10 am, John Gilmore wrote:
>> But economic rules do eventually win out -- users won't pay for
>> quality with a commodity product.
> What's your citation for that statement?
It's in the definition of commodity?
> I see commodity products all around me that users have paid for and
> that have sufficient quality. Everything from pencils and ethernet
> cables to food, clothing, and DRAM. And there are always niches for
> higher quality versions of commodities, such as the "organic" market,
> or "Monster Cable triple gold plated Ethernet cables".
Right -- the marketing battle is to reverse the commoditisation. In
order to gain the attention of the consumer, you have to put something
in front of their eyeballs.
Pencils: colour? brand? feel? sharpness?
food: colour, shape, absence, warmth...
DRAM: speed, reliability
organic: taste, welfare, fair trade
Monster: exotic theories about electron movement, bulk, fatness
All of these are things that (purport to) say the above products are not
> What there may not be is some kind of monopoly that lets all the
> vendors charge outrageous prices while imposing contracts that
> eliminate all their liability, responsibility, etc.
The browser vendors control the certificate display such that they
remove or reduce the ability of the CA to de-commoditise their product.
As the CA cannot present any information to the consumer, the CA is
commoditised. No "pull". Verisign is the same as ... name any other
brand, and thus there is no brand.
Therefore the race to the bottom. Inevitable, by the laws of economics.
In the race to the bottom, contracts must be imposed that dump all
liability, all responsibility on parties other than CAs , and other
actions, so that the marginal cost of each certificate is zero. As cost
goes, so does security.
The race to the bottom can only be unwound by browser vendors making a
decision that draws on economics/marketing theory and practice to show
the CA's name and brand (logo) on the URL bar or similar. Until that
happens and the CA gets a reason to perform, secure browsing is a bottom
(Typically, browser vendors can't see past the "advertising" aspects of
CA brands. "What's in it for me?" or "advertising is evil.")
 Originally CAs dumped liability on vendors and users. See the
oft-cited Baseline Requirements for a realignment of liability such that
the CA liability dumping on vendors was eliminated. This results in
both CA and vendor the dumping all liability on users.
More information about the cryptography