In two separate replies (one public, one private), Peter Gutmann wrote:
-------- Original Message -------- Subject: Re: $90 for high assurance _versus_ $349 for low assurance Date: Wed, 16 Mar 2005 02:23:49 +1300 From: [EMAIL PROTECTED] (Peter Gutmann) To: [EMAIL PROTECTED], [EMAIL PROTECTED] CC: cryptography@metzdowd.com, [EMAIL PROTECTED], mozilla-security@mozilla.org
Ian G <[EMAIL PROTECTED]> writes:
Or is this merely a distinction in adspace only? Just a way to separate more dollars from Alice?
It's a distinction in adspace only, in the same way that you're expected to think that a $200 DVD play from Sony Corp is better than a $40 player from Foo Yuk Corp (obviously enough people think that way that the $200 ones still sell, even if a feature-by-feature comparison shows the $40 one is better). In other words the charge-more-for-the-name model seems to work as well here as it does elsewhere.
(Note that Verisign do perform more extensive checking for the more expensive grades of cert, but whether that's worth several hundred dollars is an open question. Certainly with UIXC it's not worth anything).
Peter.
-------- Original Message -------- Subject: Re: $90 for high assurance _versus_ $349 for low assurance Date: Wed, 16 Mar 2005 02:35:23 +1300 From: [EMAIL PROTECTED] (Peter Gutmann) To: [EMAIL PROTECTED]
... To do multi-level/graded CAs you'd need to define requirements for each grade, along with auditing/certification procedures. Given that most of the people with an interested in this sort of thing are professional meeting-goers and bureaucrats with more interest in perpetuating their bureaucracy than in solving problems, I doubt you'd ever get any resolution to this, although you might get a 400-page policy document after several years of argument.
In other words, this problem is way, way up in the political layer, and I can't see any way of resolving it. It'd certainly be a good idea to make some distinction, but it's not a productive area to apply effort. It'd be better to look at some of the work on secure UI design (e.g. anything by Ka-Ping Yee, Simpson Garfinkel's thesis, etc etc). Work on the stuff that's solveable and leave this one as a honeynet for the bureaucrats to prevent them from causing any damage elsewhere. ...
It not only has limited definition, it has no definition. I can give away certs for free to all comers and call them Premium Grade Ultra High Assurance Titanium Certs if I want.
Peter.
_______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security