Ben Wilson <[email protected]> writes: >Is your interest in the current PKI trust model involving CAs and browsers >academic or personal?
Is there a difference? >Your recent comment about protection money shows that your cynicism has >reached a new level. Yeah, that's the problem with having to use terms with emotional connotations, I'm sure there's some more neutral economic term that says the same thing, but then no-one would know what I was referring to. >you are alleging that Certificate Authorities are run by back end mob bosses >actually behind the online threats that everyone faces on the Internet. No, I'm criticising the business model that's been created by browser vendors: If end users don't want customers to be scared away from their business, they have to pay money to a third party to ensure that this doesn't happen (and even if you're going with one of the small number of free CAs, which in any case many users don't even know exist, you have to invest considerable time and effort into obtaining and configuring certificates, I did a back-of-the- envelope calculation of what "free" certs actually cost based on time estimates and hourly rates a while back and the cost was staggering). I'm not an economist so I don't know all the models that could be applied here, but in terms of trying to find an analogy for what's going on I can't see how that's anything other than a protection racket. The depressing thing is that the current system acts to incentivise the race to the bottom: If I was running a CA as a charity I'd perform careful checking and whatnot; if I was running it as a commercial operation I'd maximise throughput (in other words sell as many certs as possible while doing as little checking as possible) because I know that customers will have to come to me, the browsers will treat me identically to the most diligent, careful CA out there, and as long as I sell enough certs to be TB2F I can get away with any glitches that may arise due to my cutting corners. To get back to the original poster's comments, he proposed some complex analogy involving free food and whatnot, but the best analogy for what browsers are currently doing seems to be a protection racket. If anyone has a better one (with convincing supporting arguments), I'd be happy to entertain it. While reasoning by analogy isn't perfect, it does allow you to look at how others have solved the same (equivalent) problem in other areas, so there's some value to finding a good analogy. Peter.
