Frank Hecker wrote:
Ian G wrote:
Nelson B wrote:
Having bought his first cert from CA X, if he ever buys a cert
from CA Y instead, all his users will be alarmed. This gives
CA X opporunity to charge ever higher prices for cert renewals.
In practice this would be the case, if the users
decided to let them do that. I don't see too many
users just slavishly renewing without a bit of a
tussle. Most sites that have a real user base
and users worried about security will also have a
way of notifying them otherwise that something will
change.
Well, yes, but that's also a possible opportunity for attackers. Imagine
a flood of phishing emails sent prior to the (known) cert expiry date:
"We're switching cert providers and you will get a warning message when
you next connect to our site, please click on the link below to ensure
that our new cert works in your browser." Plus Ram's point about support
calls is valid as well.
Right. So every site then learns to put up an
announcement saying "switch" or "stick" a month
ahead of time. No big deal.
However I'm not overly concerned about Nelson's "monopoly pricing"
scenario.
Raising prices is bad for existing competitors,
but it is good for new competitors. It raises
the floor under which they have to compete; one
of the lessons of privatisation is that if you
want your privatisation to fail, also couple it
with a reducing price requirement on the monopoly
issuer. This causes the old monopoly to squeeze
the competitors so hard they generally break, and
no competition results. C.f., telco "liberalisation"
is now unwinding things like "access" and price
capping.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
