[Cryptography] Well, that only took ten years

[Jerry Leichter]

> In my earlier post, I mentioned that I'd been unable to get comments from any
> CA on the change.  One has now commented:
> 
>  Yes, I work for a CA that issues EV certificates, but if there was no value
>  in them, then our customers would certainly not be paying extra for them.
>    - GlobalSign employee.
> 
> I've already added it to my quotes file :-)....
Ah, but EV certificates *do* have value; and in fact the GlobalSign employee is perfectly correct:  If their customers didn't see that value, they wouldn't pay.

The error is in assuming that how *you* assign value matches how the *GlobalSign customer* assigns value.  You are looking at the value as coming from greater security.  That value is so close to $0.00 that it's not worth thinking about.

The GlobalSign customer, on the other hand, has, or believes he has (based on industry chatter), evidence that presenting a EV certificate on his eCommerce Web site increases sales by x%.  On top of which, his security auditor is telling him this is an industry standard and his rating will be cut if he doesn't get an EV certificate.  Or ... he just wants to keep his manager or his board off his back (and continuing to give him nice bonuses) by showing he's doing "the right thing."  All of these have economic value, usually way beyond the cost of an EV certificate.  And that value is every bit as real as any other value that people find in the things they pay for.
                                                        -- Jerry