On 5/01/13 01:05 AM, Ryan Sleevi wrote:
On Fri, January 4, 2013 12:59 pm, Greg Rose wrote:
  You could ask the folks at CAcert... I imagine Ian Grigg will also chime
  in. Certification costs a lot, and as you have observed, the incumbents
  try very hard to keep you out. Despite some reasonable sources of funding,
  CAcert still didn't succeed.

  Greg.

Can you explain how, exactly, incumbents leverage any power to keep new
entrants out?

Ref OP's last para, bottom, and pgut's more detailed explanation. The technical term in economics art is "barriers to entry." C.f., Micheal Porter's 5 forces, for those who really want references, and aren't just throwing the speculation mud around.


The policies are set by the browsers/root store operators - not CAs.

Microsoft -
http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx
Apple - http://www.apple.com/certificateauthority/ca_program.html
Mozilla - http://www.mozilla.org/projects/security/certs/policy/
Opera - http://www.opera.com/docs/ca/


Who wrote the policies?

Answer -- the vendors in consultation with the CAs. Fuller answer - observe that the vendors have little understanding of the industry, so they naturally lean on the participants to come up with a "best practice." This process migrates naturally to the original incumbents raising the barriers.

Consistent among them is that they require a WebTrust or ETSI audit -
audits which were designed to reflect the collective shared policies of
the browsers. Not collective action by CAs.


Who promotes the audits?

Short answer:  The CAs who have them.

Longer answer -- although the vendors agree with the audit process, very few of them can pin down how they help the user or the vendor. It's a regulation in place, not one that necessarily helps or proves anything. As a matter of my experience, the audits and auditors generally turn a blind eye to user interests, and generally concentrate on those things that the CAs think is important to them. Vendors however haven't the experience of the CAs nor the understanding of audit to see that. But they are content because they have acheived a compliance objective. Auditors don't care as long as they are respected and they get paid their fees. Everyone's happy.

So what is the real question? This is mine: does the audit do anything positive for the users? My answer - no.


More recently, the browsers have begun to increase the minimum
requirements they expect of their root store participants, in light of
several prominent failures. These are memorialized in the CA/Browser
Forum's Baseline Requirements (
https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were
driven by browsers seeking to find a consistent, common agreement about
the requirements of their members.

Yes.  Barriers to entry, reading from the prayer book.

CACert's failures have nothing to do with the actions of any incumbent CA,
but through an inability so far to meet the requirements set forth by the
browser programs they were seeking to be included in.

That's mostly true but not entirely. When CAcert attempted to get into Mozilla, Mozilla didn't have a policy. Opera charged a flat rate for any CA to get in, no questions asked (more or less). Microsoft didn't have a policy but a secret legal process. Konqueror did whatever Mozilla did. WebTrust was optional, and easy.

The supporters of CAs were amongst those who delayed CAcert in. The obvious question was raised "what's your policy?" It is impossible to separate out the CAs and the useful idiots in this respect, but the fact is that "before" it was trivial, more or less just small amounts of money. After it was expensive and difficult.

And:  few CAs that were in before were re-verified.

Further, Mozilla's publication of an open, formally prepared and thought out policy (to which I contributed) did cause a wave of consolidation such that now, we're drowning in policies & audits.

The part that is true is that CAcert was not really at that time in a position to meet a proper reading of WebTrust. However, neither were many other CAs, including the ones with WebTrust :) CAcert wouldn't have met the needs of the first audit criteria, nor the first auditor.

It took around 3 years for CAcert to meet its first audit criteria. But, no other CA will meet those needs now, either. They will all fail the audit criteria that CAcert used.


Even Ian has
attested that Mozilla's policy is both clear and fair in this regard.


:) Mozilla's policies are fairly clear; but/and I had a hand in writing them. Indeed, before I took on the CAcert role, which is ironic.

Fair.  What is fair?  That's a rabbit hole, don't go down it.

I will however say that it is my opinion that the policies do not meet the needs of users. At all, in any way shape or form.

Additionally, there are not,

whatever.

A lot of speculation on this thread, but the answers are readily and
trivially available.


As one poster wrote recently, "you have failed to prove your points." (Meaning, I.) Heavy implication - you have to prove your points or you're wrong.

This implication is wrong. As we all know, some things are not provable. More specifically, it is not provable because the evidence cannot be presented.

Therefore, this leads to an obvious attack - keep all evidence secret, then tell everyone who criticises the system that they have to prove their points. Knowing that they cannot bring the evidence. Therefore they are wrong.

This is the attack that the CA industry uses and has always used (that's my opinion, but I can present some evidence). Although the policies are somewhat clear now across vendors - it wasn't always so and it was only that concerted effort at Mozilla that led to the openness of the policies.

And, only policies.

E.g., the only place where there are open deliberations is Mozilla. And, little known secret - not all the deliberations in Mozilla are open, some are secret. Guess which parts... None of the deliberations of the other vendors are open. Indeed, to enter into any discussions with some vendors they may you sign quite serious NDAs first off. Even your own presentations are secret.

Until Mozilla, everything about the industry was secret. After Mozilla's policy, some things got opened up, but only around 10% across the industry. And only around 30% at Mozilla. It's still a secret industry. Only 6 months ago did CABForum - a totally secret organisation - agree to open up. And only then, when the insiders were able to craft a facade.

In that environment, the onus is on the CAs to prove they are doing the right thing. And that they cannot do - because they keep it secret.



Finally, it seems to me that since there re so few root CAs (~30 ?) and
the service provided is such an arbitrary, misunderstood one, that
existing CAs would be actively trying to prevent new entrants ... and
establish themsevles as toll collectors with a pseudo monopoly ... what
evidence (if any) do we have that they are pursuing such an ecosystem ?



iang

_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to