Ian G wrote: > Ram A M wrote: > > >>Right. It's important to bear in mind that the > >>entire cert sales industry is tiny, and is literally > >>too small to support the level of activity that we > >>see. There are only about order of 100k certs to > >>fight over in a year, so we are talking of order of > >>under $100m for revenues spread among 100 CAs. > > > > > > I think VeriSign claims over 400,000 active class 3 SSL subsribers. > > > Ha. If they do, then they must be in non-browser > areas. Here's February's month's stats: > > http://www.securityspace.com/s_survey/sdata/200502/certca.html > > Which indicates 210k servers and Verisign with > less than 100k of those. I wonder what could > possibly make up 300k additional class 3s? > > Perhaps email certs within companies? That > might give them the numbers, but why would a > company want high end user email certs? > > Looking at the site, yes, you are right, they > claim 450,000 web servers, which is more than > securityspace.com can find! > > Hmmm, hold on, later it says "450,000 Web sites, > intranets and extranets worldwide" which is > different. Maybe these are all individual > client certs that they are counting.
I read it to say 450,000 Web sites [including those on] intranets and extranets worldwide. I don't really know. > >>The reason for separating out the certs into "high" and "low" > >>is almost guarunteed to be marketing. > > > > > > Disagree. There is certainly pressure to segment the market, especially > > when there is a real difference in requirements. I think there is a > > huge unserved markets for class 1 server certificates. > > > :-) These are the sort of marketing questions > that keep people arguing for yonks. Let's > suffice to say that economists see the same > process in every market, and they also see it > occur over the silliest of discriminations. However I think you'll agree with me that economists would generally not agree that every market segmentation and differentiation is around silly differences. > > You would be shocked to learn the price of running revocation services > > (CRL serving and OCSP responders). > > > I would be shocked to hear a positive ROI, but I > wouldn't be shocked at the price of running it! > It really does look like very expensive stuff > when I see the chit chat on these lists. I guess it depends on the goal. If you consider brand equity and a reputation for trying to do the right thing valuable then I'd argue they think they're getting their money's worth. > Question: How many revocations does a CA do per > year? I don't know, that information is by and large available by looking at CRLs - at least for the public CAs. > > No immediatley value to the CA other > > than providing a more robust service that is safer to rely on comes to > > mind. > > > Which brings up a point that others have suggested > as something to hang the hat of low/high assurance > on. > > In order to decide on CRL/OCSP (either, both) as > being a discriminatory metric for MoFo purposes, > we would want to show that this had meaning to the > users of the product (Firefox, not the cert). I don't think even the best practices can assure perfect authentication, after all both computers and humans are used and both are prone to errors. I'll take a swag at part of it; the value of revocation probably correlates to the value of transactions being protected and inverely to the likelyood of errors in issuance - these is by no means exhaustive but only illustrative. > > The extra authentication costs associated with dual-controlled > > authentication process with manual review doesn't add much marketing > > value (yet?) but it does provide a more robust process that is less > > susceptible to requiring revocation and in that way is a better > > candidate for banking or other authentication sensitive applications > > than a fully automated process. I think you'll appreciate the need to > > manage margins as part of competing in a market and I asasume that > > given a few hundred million US dollars on the line annually and a large > > list of enabled competitors in the space (how many entries on the IE > > and MoFo root lists for SSL) that the market is at least somewhat > > competitive and that CAs doing expensive auth. and running expensive > > services wouldn't do it if they didn't want to offer a best-of-breed > > service, would they? > > > My understanding was that the number of revocations > done is in the low hundreds per year. Has anyone > put a dollar value on how much that is worth? Well one approach to valuing it is to ask how much it's worth to shut down a phishing site after two hours instead of a day or three. I think the lower the up-front authentication the more important revocation becomes; this assumes the authentication is valued or leveraged. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
