Re: [SSL Observatory] Number of CAs

Mon, 12 Dec 2011 10:05:21 -0800 

Peter,
Is your interest in the current PKI trust model involving CAs and browsers
academic or personal?  I've heard you present before and thought you gave
even-handed legitimate criticisms about the errors found in the use of
digital certificates on the Internet.  Your recent comment about protection
money shows that your cynicism has reached a new level.  Whether you are
prophet, pundit or pariah, you are alleging that Certificate Authorities are
run by back end mob bosses actually behind the online threats that everyone
faces on the Internet.  I suppose you have the same feelings for anti-virus
software providers and security hardware vendors as well. 
Ben Wilson

-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Peter Gutmann
Sent: Saturday, December 10, 2011 5:50 AM
To: [email protected]; [email protected]
Subject: Re: [SSL Observatory] Number of CAs

Patrick Patterson <[email protected]> writes:

>A possible analogy is that a relying party is acting like someone who goes
>into a store, is given a lot of food by that store for free, and then
>complains to the store when they get fat off of that free food. No-one is
>forcing a Relying Party to trust any given CA.

Uh-oh, arguing by analogy... RP's are being forced to rely on a CA (it's not
trust because most users don't trust CAs, they don't even know what they
are).
What browsers do is give users a choice:

1. Rely on a CA.
2. Don't do business online, for example "don't pay your power bills" or
   "don't file your taxes" or "don't sell to your customers".

Since companies and governments take a rather dim view of people who choose
to
opt out of paying them, RPs in effect have no choice.  They have to rely on
a
CA, or else.

You need a better analogy for commercial PKI that the one you're using.  I
think a protection racket would be a good starting point ("youse gotta real
nice web site here.  Be a shame iff'n customers was scared away...").  I
realise that's a fairly emotive way of describing things, but as browsers
today implement it, the closest analogy I can think of is a protection
racket,
and that's not from any deliberate attempt to choose emotionally laden
terms.

Peter.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to