Ram A M wrote:
Right. It's important to bear in mind that the
entire cert sales industry is tiny, and is literally
too small to support the level of activity that we
see. There are only about order of 100k certs to
fight over in a year, so we are talking of order of
under $100m for revenues spread among 100 CAs.
I think VeriSign claims over 400,000 active class 3 SSL subsribers.
Ha. If they do, then they must be in non-browser
areas. Here's February's month's stats:
http://www.securityspace.com/s_survey/sdata/200502/certca.html
Which indicates 210k servers and Verisign with
less than 100k of those. I wonder what could
possibly make up 300k additional class 3s?
Perhaps email certs within companies? That
might give them the numbers, but why would a
company want high end user email certs?
Looking at the site, yes, you are right, they
claim 450,000 web servers, which is more than
securityspace.com can find!
Hmmm, hold on, later it says "450,000 Web sites,
intranets and extranets worldwide" which is
different. Maybe these are all individual
client certs that they are counting.
The reason for separating out the certs into "high" and "low"
is almost guarunteed to be marketing.
Disagree. There is certainly pressure to segment the market, especially
when there is a real difference in requirements. I think there is a
huge unserved markets for class 1 server certificates.
:-) These are the sort of marketing questions
that keep people arguing for yonks. Let's
suffice to say that economists see the same
process in every market, and they also see it
occur over the silliest of discriminations.
You would be shocked to learn the price of running revocation services
(CRL serving and OCSP responders).
I would be shocked to hear a positive ROI, but I
wouldn't be shocked at the price of running it!
It really does look like very expensive stuff
when I see the chit chat on these lists.
Question: How many revocations does a CA do per
year?
No immediatley value to the CA other
than providing a more robust service that is safer to rely on comes to
mind.
Which brings up a point that others have suggested
as something to hang the hat of low/high assurance
on.
In order to decide on CRL/OCSP (either, both) as
being a discriminatory metric for MoFo purposes,
we would want to show that this had meaning to the
users of the product (Firefox, not the cert).
So, when you say the above .. and the below, is
there anyway of showing that this might be worth
something to Firefox users?
The extra authentication costs associated with dual-controlled
authentication process with manual review doesn't add much marketing
value (yet?) but it does provide a more robust process that is less
susceptible to requiring revocation and in that way is a better
candidate for banking or other authentication sensitive applications
than a fully automated process. I think you'll appreciate the need to
manage margins as part of competing in a market and I asasume that
given a few hundred million US dollars on the line annually and a large
list of enabled competitors in the space (how many entries on the IE
and MoFo root lists for SSL) that the market is at least somewhat
competitive and that CAs doing expensive auth. and running expensive
services wouldn't do it if they didn't want to offer a best-of-breed
service, would they?
My understanding was that the number of revocations
done is in the low hundreds per year. Has anyone
put a dollar value on how much that is worth?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
