I think this discussion is slightly over the heads of the crowd that we could call "users". For that lot, using the SSL model we can only hope that the CAs represensented in browser truststores do their job. BTW, VeriSign is a name brand for the _buyers_ of SSL certificates but (in the browser environment) not for relying parties of the consumer kind.
I know that this is the opposite on how PKI trust was intended to work but that is the reality. It might be of interest to note that Microsoft in their latest effort to rule the world using "InfoCards" deprecates the idea of using SSL certificates and instead tout organization-certificates as it is really not the CA you are after, but knowing that you are talking to the right partner. If this list believe that users should do conscious decisions on what CAs to trust you are on the wrong track as this is impossible to do for mere mortals. A possible solution would be that you for a fee "outsourced" CA trust decisions to a party that have this as their prime business. Such a model would in fact add considerably more interesting stuff to the plot than just CA validity. It could actually claim that a reputation of an organization your are about to contact is not the best. Anders R ----- Original Message ----- From: "Ian G" <[EMAIL PROTECTED]> To: <[email protected]>; "Ram A Moskovitz" <[EMAIL PROTECTED]> Cc: "Duane" <[EMAIL PROTECTED]> Sent: Saturday, May 21, 2005 14:55 Subject: The Worth of Verisign's Brand On Saturday 21 May 2005 02:22, Ram A Moskovitz wrote: > You have repeatedly argued that the value of brand and reputation > plays into a CA's behavior. Here you are saying that a CA would toss > its reputation to keep one of it's small (revenue size) customers > happy. Correct on both counts. Now, you are implying that there is a contradiction in these two statements. There is none. In the current market for CAs, reputation is not that important, it is more a missing element that is believed to be important by those CAs that grew up in the old model. If you want a cite, see Amir&Ahmad's paper where they test the brand of Verisign and come up confused. Reputation *could* be very important to to play into a CA's behaviour, but before reputation can do that, it has to enter the public's mind. In order to do that, the browser should present the brand of the CA, as is done in the screen shots in that paper. There are other ways, but this is the most cost-effective that I can think of (c.f., Intel Inside). Now, I know many of you believe that this original Netscape security model is bad. All I can say is this is how brand works - you stick the logo everywhere that is important, that creates the name-brand-reputation relationship in the consumer's mind, and that then leads to the brand becoming valuable, which finally places an onus on the company to protect its valuable brand. By doing the right thing for the customer. Brand is inextricably linked to capitalism and giving the consumer the ability to vote with their dollar or euro; the alternate is "we know better" and that is always related to extra costs and no delivery of service because we know better can't work in practice. As far as consumer brands are concerned, Verisign could sell its cert division tomorrow and no consumer nor any merchant would notice. (cite: NetSol.) In sum, the Verisign reputation does not hold back the company from shafting any given retail customer, or merchant, or any small player, IMHO. Whether it does so is another question - my point today is that the brand and reputation would not hold it back. I wish it did. I would like Verisign's reputation to act as a brake on the company's behaviour. I would also like not to have to repeat this same mantra so many times to overcome the resistance to change, and to craft a place in the future for CAs. Without brand, CAs have no future, they will be overtaken by the events that are unfolding now. (cite: Netcraft.) iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
