[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Is there a business for CAs?
This question was raised last week and discussed in e-carm.
It's often said that a good lawyer should be able to argue both sides
of an issue... Though I am not a lawyer, I believe it is instructive
to see things from all perspectives.
I don't know if this may be a duplicate posting to some, but my
answer below may help see things from the CA side and does not
contain any exaggeration -- so it may be useful here. A CA investor
should seriously consider the items I analyse below as free advice --
as well as CA users and security protocol work groups.
First, I would say that CAs, contrary to some opinions I read in
several fora and also here in SPKI, should be very profitable
businesses and they should be high on demand in the next future. I
hope this posting is able to set that clear.
Of course, to properly analyse the question one would need to write a
typical CA Business Plan, which should contemplate the various pros,
cons and also contingency plans. However, let me just explain and
motivate why I think that CAs should be excellent business
opportunities for investors and entrepeneurs, in a few lines.
Product Liability to Clients: Zero.
CAs provide certificates that have zero content, zero warranties,
zero assurances and, hence, zero liability under any law system.
This is a very good point for CAs, and it is difficult to imagine a
legal business that could get to so close to this goal. Perhaps,
chiromancy with consenting adults over a phone line could
be similar, but with a lesser market.
Contract Liability to Users: Zero.
Since the certificate's users (ie, historically known as the
relying-parties) are not the ones that paid for the certificate to
the CA (ie, the certificate was paid for by the subscriber), this
means that the CA has no responsiblity or contractual obligation
whatsoever to the certificate's users, hence zero liability.
After-Sales Support: Almost Zero.
This is also a very good point. There is no maintenance, set-up,
compatibility or other post-sales questions to worry about. The
product also self-destructs so to say after a period of usually one
year, so there is not even a marginal need to maintain compatible
systems for diagnosis after one year. Regarding the eventual need to
revoke a certificate, here we are forced to say that after-sales
support is "almost zero". However, that is not a serious issue
because certificate revocation has also no warranties or assurances,
hence this freely provided service has no liabilities or obligations
to the CA, not even to be expedite.
Product Recall: Zero.
The subscriber cannot send back an issued certificate and decide to
cancel his order because the certificate does not work on the new
Gizmo v4.0 or equivalent browser, or just because it does not like
it any more. Once the product is sold, the revenues are liquid.
Technical Regulation: Almost Zero.
Certificates are technically regulated by X.509 but X.509 is very
tolerant on almost all issues except purely syntatic issues which
are handled blindfolded by software. Further, CAs can issue their
very own operating laws (CPS - Certificate Practice Statement)
according to their needs and profit rules. They can define all their
Legal Regulation: Almost Zero.
The CA's CPS must be accepted by the client and the CA can change it
at will, at any moment. Legislation, such as Illinois', already
consider such self-made laws as legally binding in lieu of any
legislation's mandated procedures (see Section 603.a.1).
Legal Mandatory Use: Possible.
This is a very positive point for CAs. Legal initiatives may make it
mandatory to use CAs (eg, TTPs) in order to allow certificates to be
deployed. So, CAs would have captive markets in this positive
scenario and the client would not be able to decide not to use a CA.
Matched Sales: Strongly Enforced.
A CA can reach profitable agreements with a wide array of partners,
such as financial agents, software producers, content providers,
etc., in order to render its certificates strongly matched to the
partner's products or services. This is easily cryptographically
guaranteed and sounds reasonable when explained to customers. For
example, software producer ACME can easily decide that its product
Gizmo will only accept plug-ins signed by a specific CA -- allowing
several legal avenues for matched sales.
Product Price: Free.
There is no reference in price for an array of 2 Kbytes. It can
range from $5.00 to $500.00 or beyond. Since the market also has to
accept matched sales as a natural procedure in this case, it is not
difficult to organize different product classes so that essentially
the same array of 2 Kbytes can have very profitable margins for
high-end (ie, expensive) applications.
Insurance: Paid By The Client.
To cover for those few cases where the CA could still be liable (ie,
gross negligence, employee collusion, fraud, etc.) to its clients,
it is accepted to ask for the client to pay for insurance against
the CA's acts. Since the users have no coverage (they are not part
of the contract and they are not considered innocent bystanders as
with car accidents), such insurance will need to cover only the
In summary, CAs make very good sense as businesses, shareholder's
risk is low and the activities are essentially unregulated. Further,
future legislation cannot impose more burdens because it is
Of course, the problems of e-commerce are not solved and the
so-called relying-parties must rely on themselves. Which might point
out to a possible technology change over if such market forces gain
momentum, possibly also after a stage of apparent condescendence.
Thus, as a final comment, CAs should keep their prices high and find
ways to add price to current products (eg, offering insurance,
different certificate classes, benefits for CRL access, etc.) --
because the potentially difficult mid-term future of such business
impose the need for a large ROI in a short time. This is probably not
a perennial business activity.
Dr.rer.nat. E. Gerck firstname.lastname@example.org
--- Meta-Certificate Group member, http://www.mcg.org.br ---