Ram A M wrote:
Ian G wrote:
[revocation...]
I would be shocked to hear a positive ROI, but I
wouldn't be shocked at the price of running it!
It really does look like very expensive stuff
when I see the chit chat on these lists.
I guess it depends on the goal. If you consider brand equity and a
reputation for trying to do the right thing valuable then I'd argue
they think they're getting their money's worth.
I consider brand to be valuable in its place, definatel!
I don't quite see how you can link these things that
you talk of - CRL/OCSP - to brand equity or reputation,
simply because a) CAs have no branding way to reach
the relying parties (users) and thus b) a very limited
way to convince purchasing parties (sites) of the need
to pay attention. This isn't the CAs' fault, and every
CA I have ever talked to understands that they are
powerless to develop their brand and thus their features
of quality of service until the browsers play their part.
But until that happens, any talk about CA brand is just
hypeware as far as I can see.
(This point comes out in the TrustBar paper where they
tested the brand recognition, and even Verisign flunked
the test.)
So, I'd suspect that brand and reputation are not useful
reasons behind CRL/OCSP work, as yet. It may have a
strategic future, but that's for the futuroligists.
I don't know, that information is by and large available by looking at
CRLs - at least for the public CAs.
Google found them in one hit :) Unfortunately, even
though there are some very big files there, they are
in binary, so not easy to count the number of entries,
nor skim them for applicability.
I'll take a swag at part of it; the value of
revocation probably correlates to the value of transactions being
protected and inverely to the likelyood of errors in issuance - these
is by no means exhaustive but only illustrative.
Well, what I'd be inclined to look for is something
that said:
1% of certs are revoced per annum.
0.5% of these reach clients in time to block fraud.
Therefore, estimated savings by reducing fraud to half.
Something like that ... that's a scratched out example.
Of course, we have fraud out there, that's what the
revocations are intended to stop. So it is a simple
matter of measuring how much fraud is out there, then
working backwards from that to work out how many fraud
transactions are blocked by the revocations that actually
get through to the relying parties.
Nothing's perfect, we will see a failure rate in there,
where something didn't work out and a fraud got through.
It's probably a benefit of it can reach 50% savings.
If it was only 10% savings I'd be skeptical of its value,
and if it was 90% it would be miraculous.
But somewhere between those numbers would be grand, this
would be a solid working number that said to Mozilla,
yes, we can hang a hat on this. We can say that the
attention paid to CRLs is definately something to bring
to our users in a positive discriminatory fashion.
Well one approach to valuing it is to ask how much it's worth to shut
down a phishing site after two hours instead of a day or three. I think
the lower the up-front authentication the more important revocation
becomes; this assumes the authentication is valued or leveraged.
Right, that's the sort of calculation we need. That
would be a perfect example for Mozilla to bring to its
users.
( But, until Firefox forces the phishers to use
certs, that is a hypothetical. I saw an SSL phish
once about 2 years back and followed it through for
the investigative experience ... but nobody else has
seen them to my knowledge. I would cheer the day we
say more of them, it would mean we would be making a
difference. )
So maybe the answer is that until SSL phishing starts
we cannot determine the value of CRLs and thus they
cannot be used as a way to determine "low"/"hi" assurance?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
