On Fri, January 4, 2013 3:06 pm, James A. Donald wrote: > On 2013-01-05 8:05 AM, Ryan Sleevi wrote > > Can you explain how, exactly, incumbents leverage any power to keep new > > entrants out? > > Such behavior is necessarily a deviation from official truth, from the > way certification is supposed to work, thus the only way to observe such > behavior would be if emails leaked, as in the climategate files where we > saw how peer review actually worked.. > > Analogously, regulators, financial audits and ratings agencies were > supposed to ensure that banks only invested in safe stuff. When the > proverbial hit the fan, it became apparent that regulators, financial > audits and ratings agencies in practice ensured that banks only invested > in politically correct stuff, but no one can explain how, exactly, this > happened - well it is pretty obvious how it happened, and one can make a > pretty good guess how it happened, but there is no direct official > evidence as to how it happened.
While I appreciate a good bit of paranoia and tin-foil hat wagging as much as the next person, I think your analogy breaks down pretty critically. In the case you referenced, it was the role of auditors and regulators to keep people out / keep people honest, and they failed, and so more people / dishonest people got in. However, the speculation about CA collusion requires the CAs to be working hard to keep new entrants out - the exact *opposite* behaviour. Such a conspiracy requires auditors colluding to keep new entrants out. To be quite frank, I would be surprised if anyone on this list, concerned about security, would be saddened or upset if they heard horror stories of WebTrust auditors finding actionable concerns that kept new entrants out - such as failures to adhere to their policies or unaddressed security concerns. At best, it means the market is incentivizing auditors to closely examine new entrants for best practices. Is that a bad thing and does it really demonstrate a vast CA conspiracy? Has there ever been a new CA, attempting to get audited, who has said with a straight face that the audits are unreasonably thorough? Shouldn't that be the bare minimum for having the ability to affect trust globally? So at best, we have FUD and unsubstantiated speculation about auditors being "too" strict - at the same time that the browsers are working to make the requirements more strict. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography