Hi Nelson! >>> 1. The reason there is a strong dominating player at >>> the moment is because there is no way to compete. >> >> But the reason there's no way to compete is due to whose root certs are >> in the main browsers, not any other reason like branding or lack of it. > > What are you guys smoking? > > Stop saying Verisign has a monopoly unless you can show evidence of it.
On no measure has Verisign got a monopoly, but sometimes it is common lingo to call the largest player "the monopoly." It's incorrect, but honestly, it's not worth correcting. However as for stats, published here: http://www.securityspace.com/s_survey/sdata/200411/certca.html confirm that the market has resumed slow growth, and continues to move slowly towards a more regular "free market" profile. If trends continue Verisign will no longer be the largest player within 6 months, at a guess. > There is a large number (~100) of trusted root CA certs in mozilla. > Some of the CAs there sell SSL server CA certs for WELL BELOW $100. > Several of them give away email certs for free. > mozilla has admited more new CA certs to the trusted list in 2004, than > in any year since the establishment of mozilla in 1998. > The criteria for "competing" are pretty well established. > Stop spreading FUD. Ah, that's one sentence too far! The problem with the CA certs market is that it is artificially constrained by the browser's use of the root list. That makes for a barrier to entry, which is today measured as the cost of a WebTrust. Hence, costly (anyone here got a dollar figure on it?). Now, if the root list were *not* the undisputed and sole vector of trust, and we were also to employ user-based techniques of trust - like Amir and Ahmed's logo signing ideas, or the other things that have been discussed to put the relationship onto the chrome, we would *change* the market for certs. And thus change the criteria for competing. We would actually open it up for more competition, and also enlarge the market for more CAs to sell more certs. What's more, we'd also do something about phishing by giving the user the tools needed for them to protect themselvess. So we'd also be meeting the security goals of Mozilla as well: delivering a product that helps the ordinary user to fight their threats, which as far as Firefox is concerned, is phishing, phishing, and also phishing. Changing the market in this way has zero down side that I can see, and lots and lots of upside. That all is the opposite of FUD, which happens to be what the current system is based on: Fear of the MITM, Uncertainty in the notion that only with a CA can you shop safely, and Doubt over whether users will ever find anyone to take responsibility for their loses over browsers supposedly secured by CA-signed certs. The main game right now is phishing. What is the plan to deal with phishing? Anything else is of secondary importance. (Which is not to criticise the development crew as it is clearly a vexatious issue; and Mozilla does lead the way with its little domain sticker down in the bottom right corner.) iang _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security