I want to disclose that I work for a commercial CA. I also want to make clear that like always in my postings here I am not representing my employer. My postings here are my opinion and my opinion is subject to change. I should also point out in case it's not obvious that I am not a lawyer so don't think I'm giving you legal advice because I'm not.
Well, we're glad that you and other CA folks post here, disclaimer or not :-)
I think it comes down to balancing the cost of each approach against its risks. Each of these authentication processes is tuned to its need. They evolve in practical ways in response to real successes and failures. Consider how many credit cards have been issued in the US - a large number indeed; the authentication process around these is very low (you may have read about a dog getting a credit card) and yet as far as I can tell the credit card associations, banks and card holders are not suffering from that low authentication level.
This point directly ties in with Bruce Schneier's comments in his recent blog post "Mitigating Identity Theft":
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html
As Schneier points out, the reason why the credit card system doesn't suffer from low authentication of card holders is because credit card issuers authenticate individual transactions, not the identity of the card holder per se, and this in turn is because (at least in the US) they have an economic incentive to do so, because there's a limit to how much individual card holders are liable for fraudulent transactions. The end goal is not to provide a 100% guarantee of no fraud, and it's certainly not to provide 100% correct authentication of card holders; rather the goal is to keep fraud-related losses below a certain percentage of the total amount charged using credit cards.
The interesting issue is whether and to what extent this could be done in other areas, and how the legal and economic incentives would have to be arranged in order to make this happen.
For example, consider online banking, and a user of the "First Bank of Foo" who has online access to pay bills, etc. Clearly the user could be the subject of a phishing attack, someone could thus obtain the user's authentication credentials for their bank (typically userid and password), and that someone could then impersonate the user and write fraudulent checks to arbitrary other persons. Applying Schneier's comments here would mean authenticating the individual bill payment transactions in some way, with the bank being held accountable for fraudulent transactions above a certain amount. To my knowledge this is not the case today, at least in the US.
Similar comments apply to the ill effects suffered by end users where others apply for credit cards, etc., in their names. Here the transaction of interest is providing credit in the first place, and similarly it is possible to imagine banks, stores, and other credit providers being held responsible for losses due to fraudulent applications for credit.
Whether that will happen or not is an open question. I personally doubt it, unless the "identity theft" problem becomes so massive that politicians have no choice to ignore industry lobbying (from banks, credit bureaus, etc.) and do something. But even then it's quite possible that what will be done is simply "window dressing" or "security theatre".
It looks to me that the market for commercial CA certificates is starting to mature given the massive adoption of the internet and consequently (and this shouldn't surprise economists nor security types) there is a segmentation of needs. The reason is simple - not every website has the same security concerns.
Exactly. This is the same point I've made previously: The growth of domain-validated certs is simply the result of the disruptive innovation enabled by low-cost automated subscriber verification, innovation that essentially "competes against nonconsumption" by bringing the benefits of SSL-enabling one's web site to a broader class of people who previously couldn't see spending large amounts of money to obtain a certificate. The growth in the number of domain-validated certs is not in and of itself either an indicator of security problems or even necessarily a harbinger of such problems.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
