[Cryptography] Certificates and PKI

ianG iang at iang.org
Mon Dec 29 12:24:34 EST 2014

On 25/12/2014 03:10 am, John Gilmore wrote:
>> But economic rules do eventually win out -- users won't pay for
>> quality with a commodity product.
> What's your citation for that statement?

It's in the definition of commodity?

> I see commodity products all around me that users have paid for and
> that have sufficient quality.  Everything from pencils and ethernet
> cables to food, clothing, and DRAM.  And there are always niches for
> higher quality versions of commodities, such as the "organic" market,
> or "Monster Cable triple gold plated Ethernet cables".

Right -- the marketing battle is to reverse the commoditisation.  In 
order to gain the attention of the consumer, you have to put something 
in front of their eyeballs.

Pencils:   colour?  brand?  feel?  sharpness?
cables:    shielding
food:      colour, shape, absence, warmth...
DRAM:      speed, reliability
organic:   taste, welfare, fair trade
Monster:   exotic theories about electron movement, bulk, fatness

All of these are things that (purport to) say the above products are not 

> What there may not be is some kind of monopoly that lets all the
> vendors charge outrageous prices while imposing contracts that
> eliminate all their liability, responsibility, etc.

The browser vendors control the certificate display such that they 
remove or reduce the ability of the CA to de-commoditise their product. 
  As the CA cannot present any information to the consumer, the CA is 
commoditised.  No "pull".  Verisign is the same as ... name any other 
brand, and thus there is no brand.

Therefore the race to the bottom.  Inevitable, by the laws of economics. 
  In the race to the bottom, contracts must be imposed that dump all 
liability, all responsibility on parties other than CAs [0], and other 
actions, so that the marginal cost of each certificate is zero.  As cost 
goes, so does security.

The race to the bottom can only be unwound by browser vendors making a 
decision that draws on economics/marketing theory and practice to show 
the CA's name and brand (logo) on the URL bar or similar.  Until that 
happens and the CA gets a reason to perform, secure browsing is a bottom 

(Typically, browser vendors can't see past the "advertising" aspects of 
CA brands.  "What's in it for me?" or "advertising is evil.")


[0] Originally CAs dumped liability on vendors and users.  See the 
oft-cited Baseline Requirements for a realignment of liability such that 
the CA liability dumping on vendors was eliminated.  This results in 
both CA and vendor the dumping all liability on users.

More information about the cryptography mailing list