Frank Hecker wrote:
Now, what does this have to do with the present discussion?...
At heart this is a technical distinction that IMO is ultimately driven
by the economics of the CA business: (commercial) CAs are motivated to
reach a new class of more price-sensitive customers (because their
traditional business has reached a plateau) and reaching those
price-sensitive customers requires achieving cost efficiencies, which in
turn can be done through the introduction of increased automation and
taking humans out of the loop.
Right. It's important to bear in mind that the
entire cert sales industry is tiny, and is literally
too small to support the level of activity that we
see. There are only about order of 100k certs to
fight over in a year, so we are talking of order of
under $100m for revenues spread among 100 CAs.
It's tempting to attach a meaning to this technical distinction between
"control of domain" certs and "claimed identity" certs, and say that the
first is "low assurance" and the second is "high assurance";...
The reason for separating out the certs into "high" and "low"
is almost guarunteed to be marketing. The marketing imperitive
is to create a ramped range of products. This is a well
studied phenomena in b-school and marketing school, as well
as (perhaps surprisingly) economics. The key phrases here are
'consumer surplus' and also 'price discrimination' if anyone
fancies researching more:
http://en.wikipedia.org/wiki/Consumer_surplus (not so good)
http://en.wikipedia.org/wiki/Price_discrimination (better)
Or, here's a quick description with grounding in the certs
market.
When a market only has one product, the pressure to create
two products, being an expensive one and a cheap one, is
*immense*. It would be utterly astounding if this were not
to happen, it would represent a challenge to our understanding
of the laws of economics. But we can ignore that as the market
for certs followed on spec.
Once two products are established and are *successful* there
arises pressure to create three, then four, then more, and in
each case there is one primary objective: create a range of
prices from very cheap to very expensive.
Now, the market for certs has followed here as well. Look
at godaddy's page, and you will see *four* difference certs
all with different prices.
The thing to keep firmly in mind is that this is *nothing*
to do with the technical issues of security or even cost.
It is solely a phenomenum of marketing and economics known
as price discrimination.
However - and this is where the security comes in - when
the user is presented with these different prices, they
need something to justify the difference. Security happens
to be a highly convenient issue. Automation is very
convenient for cheap, and human checking is good for
expensive. But you'll also note that wildcard domains
are in there as well, and they are priced differently on
different metrics.
How do we prove this? Easy: the existence of different
certs for different prices has to be primarily to create
a ramped price structure for the perception of the buyer
of the cert because the end-users - the browsing user and
the site operator - can't see the difference anyway.
QED.
> ...IMO it's more that the distinction between
> different types of certs *could* be made on technical grounds (having to
> do with different cert issuance processes) and having done that it's
> then tempting to attach fixed security-related meanings (e.g., "low/high
> assurance") to the distinction.
Precisely. Security and so forth comes along conveniently
to help the marketing. But we shouldn't make the mistake
that this is anything but a convenience.
(I'll go and read the non-econ part now...)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
