[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is there a business for CAs?

This question was raised last week and discussed in e-carm.

It's often said that a good lawyer should be able to argue both sides
of an issue... Though I am not a lawyer, I believe it is instructive
to see things from all perspectives. 

I don't know if this may be a duplicate posting to some, but my
answer below may help see things from the CA side and does not
contain any exaggeration -- so it may be useful here. A CA investor
should seriously consider the items I analyse below as free advice --
as well as CA users and security protocol work groups. 

First, I would say that CAs, contrary to some opinions I read in
several fora and also here in SPKI, should be very profitable
businesses and they should be high on demand in the next future. I
hope this posting is able to set that clear. 

Of course, to properly analyse the question one would need to write a
typical CA Business Plan, which should contemplate the various pros,
cons and also contingency plans. However, let me just explain and
motivate why I think that CAs should be excellent business
opportunities for investors and entrepeneurs, in a few lines.

Product Liability to Clients: Zero. 

 CAs provide certificates that have zero content, zero warranties,
 zero assurances and, hence, zero liability under any law system.
 This is a very good point for CAs, and it is difficult to imagine a
 legal business that could get to so close to this goal. Perhaps,
 chiromancy with consenting adults over a phone line could
 be similar, but with a lesser market.

Contract Liability to Users: Zero.

 Since the certificate's users (ie, historically known as the
 relying-parties) are not the ones that paid for the certificate to
 the CA (ie, the certificate was paid for by the subscriber), this
 means that the CA has no responsiblity or contractual obligation
 whatsoever to the certificate's users, hence zero liability.

After-Sales Support: Almost Zero.

 This is also a very good point. There is no maintenance, set-up,
 compatibility or other post-sales questions to worry about. The
 product also self-destructs so to say after a period of usually one
 year, so there is not even a marginal need to maintain compatible
 systems for diagnosis after one year. Regarding the eventual need to
 revoke a certificate, here we are forced to say that after-sales
 support is "almost zero". However, that is not a serious issue
 because certificate revocation has also no warranties or assurances,
 hence this freely provided service has no liabilities or obligations
 to the CA, not even to be expedite.

Product Recall: Zero.

 The subscriber cannot send back an issued certificate and decide to
 cancel his order because the certificate does not work on the new
 Gizmo v4.0 or equivalent browser, or just because it does not like
 it any more. Once the product is sold, the revenues are liquid.

Technical Regulation: Almost Zero.

 Certificates are technically regulated by X.509 but X.509 is very
 tolerant on almost all issues except purely syntatic issues which
 are handled blindfolded by software. Further, CAs can issue their
 very own operating laws (CPS - Certificate Practice Statement) 
 according to their needs and profit rules. They can define all their
 operating parameters.

Legal Regulation: Almost Zero.

 The CA's CPS must be accepted by the client and the CA can change it
 at will, at any moment. Legislation, such as Illinois', already
 consider such self-made laws as legally binding in lieu of any
 legislation's mandated procedures (see Section 603.a.1). 

Legal Mandatory Use: Possible.

 This is a very positive point for CAs. Legal initiatives may make it
 mandatory to use CAs (eg, TTPs) in order to allow certificates to be
 deployed. So, CAs would have captive markets in this positive
 scenario and the client would not be able to decide not to use a CA. 

Matched Sales: Strongly Enforced.

 A CA can reach profitable agreements with a wide array of partners,
 such as financial agents, software producers, content providers,
 etc., in order to render its certificates strongly matched to the
 partner's products or services. This is easily cryptographically
 guaranteed and sounds reasonable when explained to customers. For
 example, software producer ACME can easily decide that its product
 Gizmo will only accept plug-ins signed by a specific CA -- allowing
 several legal avenues for matched sales.

Product Price: Free.

 There is no reference in price for an array of 2 Kbytes. It can
 range from $5.00 to $500.00 or beyond. Since the market also has to
 accept matched sales as a natural procedure in this case, it is not
 difficult to organize different product classes so that essentially
 the same array of 2 Kbytes can have very profitable margins for
 high-end (ie, expensive) applications.

Insurance: Paid By The Client.

 To cover for those few cases where the CA could still be liable (ie,
 gross negligence, employee collusion, fraud, etc.) to its clients,
 it is accepted to ask for the client to pay for insurance against
 the CA's acts. Since the users have no coverage (they are not part
 of the contract and they are not considered innocent bystanders as
 with car accidents), such insurance will need to cover only the

In summary, CAs make very good sense as businesses, shareholder's
risk is low and the activities are essentially unregulated. Further,
future legislation cannot impose more burdens because it is
technically unwarranted.

Of course, the problems of e-commerce are not solved and the
so-called relying-parties must rely on themselves. Which might point
out to a possible technology change over if such market forces gain
momentum, possibly also after a stage of apparent condescendence.

Thus, as a final comment, CAs should keep their prices high and find
ways to add price to current products (eg, offering insurance,
different certificate classes, benefits for CRL access, etc.) --
because the potentially difficult mid-term future of such business
impose the need for a large ROI in a short time. This is probably not
a perennial business activity.



Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---