Nelson B wrote:Having bought his first cert from CA X, if he ever buys a cert from CA Y instead, all his users will be alarmed. This gives CA X opporunity to charge ever higher prices for cert renewals.
In practice this would be the case, if the users decided to let them do that. I don't see too many users just slavishly renewing without a bit of a tussle. Most sites that have a real user base and users worried about security will also have a way of notifying them otherwise that something will change.
Well, yes, but that's also a possible opportunity for attackers. Imagine a flood of phishing emails sent prior to the (known) cert expiry date: "We're switching cert providers and you will get a warning message when you next connect to our site, please click on the link below to ensure that our new cert works in your browser." Plus Ram's point about support calls is valid as well.
However I'm not overly concerned about Nelson's "monopoly pricing" scenario. CAs can't raise renewal prices for existing customers over much, or they would cause new customers (who haven't yet acquired certs) to flee to competitors. I think the desirability of staying with the initially-selected CA will to some extent put a floor under pricing (especially renewal pricing) for the sorts of organizations that buy the higher-priced "higher assurance" certs, but I think those customers are relatively price-insensitive anyway, and there wouldn't be tremendous pressure to drive down prices even in the absence of the factor Nelson mentions.
One might counter that contracts between CAs and their customers are private, and so CA might try to take the opportunity to price gouge each of the customers separately. The obvious way to counter that is for wise customers to negotiate up front a cap on renewal pricing increases (e.g., cannot increase more than 10 per cent per year) for an appropriate period of time (e.g., 5-10 years or even longer). This is what customers do in the enterprise software market in order to limit potential increases in software maintenance fees.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
