Ian G wrote: > Frank Hecker wrote: > > > Now, what does this have to do with the present discussion?... > > > > At heart this is a technical distinction that IMO is ultimately driven > > by the economics of the CA business: (commercial) CAs are motivated to > > reach a new class of more price-sensitive customers (because their > > traditional business has reached a plateau) and reaching those > > price-sensitive customers requires achieving cost efficiencies, which in > > turn can be done through the introduction of increased automation and > > taking humans out of the loop. > > > Right. It's important to bear in mind that the > entire cert sales industry is tiny, and is literally > too small to support the level of activity that we > see. There are only about order of 100k certs to > fight over in a year, so we are talking of order of > under $100m for revenues spread among 100 CAs.
I think VeriSign claims over 400,000 active class 3 SSL subsribers. > > It's tempting to attach a meaning to this technical distinction between > > "control of domain" certs and "claimed identity" certs, and say that the > > first is "low assurance" and the second is "high assurance";... > > > The reason for separating out the certs into "high" and "low" > is almost guarunteed to be marketing. Disagree. There is certainly pressure to segment the market, especially when there is a real difference in requirements. I think there is a huge unserved markets for class 1 server certificates. > > ...IMO it's more that the distinction between > > different types of certs *could* be made on technical grounds (having to > > do with different cert issuance processes) and having done that it's > > then tempting to attach fixed security-related meanings (e.g., "low/high > > assurance") to the distinction. > > > Precisely. Security and so forth comes along conveniently > to help the marketing. But we shouldn't make the mistake > that this is anything but a convenience. You would be shocked to learn the price of running revocation services (CRL serving and OCSP responders). No immediatley value to the CA other than providing a more robust service that is safer to rely on comes to mind. The extra authentication costs associated with dual-controlled authentication process with manual review doesn't add much marketing value (yet?) but it does provide a more robust process that is less susceptible to requiring revocation and in that way is a better candidate for banking or other authentication sensitive applications than a fully automated process. I think you'll appreciate the need to manage margins as part of competing in a market and I asasume that given a few hundred million US dollars on the line annually and a large list of enabled competitors in the space (how many entries on the IE and MoFo root lists for SSL) that the market is at least somewhat competitive and that CAs doing expensive auth. and running expensive services wouldn't do it if they didn't want to offer a best-of-breed service, would they? _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
