Frank Hecker wrote:
Ian G wrote:
The reason for separating out the certs into "high" and "low"
is almost guarunteed to be marketing.
Which is not necessarily a bad thing. Just because something is done for
"marketing" reasons doesn't mean that there's not actually value
provided to potential buyers, at least as they perceive it (and after
all, it's their money).
This is absolutely correct! There is nothing wrong
with this .. but see below.
http://en.wikipedia.org/wiki/Consumer_surplus (not so good)
http://en.wikipedia.org/wiki/Price_discrimination (better)
For a good discussion of price discrimination strategies as they relate
to information goods, I particularly recommend Varian and Shapiro's book
"Information Rules":
http://www.amazon.com/exec/obidos/ASIN/087584863X
I'd love to have the time to read that!
The thing to keep firmly in mind is that this is *nothing*
to do with the technical issues of security or even cost.
It is solely a phenomenum of marketing and economics known
as price discrimination.
Yes, but... It's not necessarily "just marketing", either in general or
for this specific case. In many cases -- and I would argue, in the cases
in which it works best -- price discrimination is associated with real
differences in value as perceived by customers, even if some would
question what that value actually is. (For example, some users of open
source software would question the value of paying for "certified"
versions of software, but others do perceive value in this.)
Right. So here's the thing. The company's only
interest is economic discrimination. However the
user is uninterested in that, even offended. So
the user has to govern the company by either going
somewhere else or grumbling or causing trouble.
That is, the attention to user needs is a secondary
effect that drives the company away from its primary
desire of capturing the consumer surplus (as an
economist would say it).
So it's a feedback loop of two competing forces.
Really great for the world as it makes for improvement;
it's called competition.
Now, here's the clanger: in *some* markets, the user
does not play their part .. or plays it inadequately.
In those markets, the product mix moves towards pure
discrimination on arbitrary price points. Only when
the user governs the suppliers by bringing them back
to the needs of the user is the feedback loop then
engaged and the user's needs met.
Here's the conclusion: I claim, or hypothesize,
that the market for certs is such a market: that
the users cannot easily govern the suppliers for
their desired characteristics, so the market has
moved as much as it is able (size is the limit here)
to a mix of products based on arbitrary price points.
(When I say, arbitrary, I mean without obvious or
working feedback. If you say, the price point is
security, I would say, ok, show us some evidence
of consumers choosing on security.)
Now, if this is the case, what this means in the right
here and right now is that none of those arbitrary
points that we see out on the market place (c.f. the
post of the prices of certs for different suppliers)
will support a policy decision by Mozilla Foundation.
And that won't change until users start to govern
the market place based on criteria that are important
to the users.
(Hence, a lot of my writings are directed at getting
information to the users, so that they can start to
govern the marketplace and direct the suppliers to
provide product that matters to them. A lot of other
peoples' writings are directed at hiding that info
so that the current status quo can continue. Standard
ostrich economics.)
How do we prove this? Easy: the existence of different
certs for different prices has to be primarily to create
a ramped price structure for the perception of the buyer
of the cert because the end-users - the browsing user and
the site operator - can't see the difference anyway.
Well, we're talking about introducing a difference (e.g., as in my
strawman SSL UI proposal), and that might in turn make a difference in
perceived values of the different offerings.
Right. So the question for that proposal is what to
hang the hat of the difference on. I argue above that
there is nothing that is there currently that will
support that.
OTOH, there is a pressing need to get the users - the
relying parties or the cert buyers - to make decisions
on security. Which needs more information, which is
currently withheld from them. Release the information
and the users will provide the signal needed to
separate "low" from "high" ...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
