[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Is there a business for CAs?

> Product Liability to Clients: Zero. 
> Contract Liability to Users: Zero.

Actually not the case! A CA certainly wants the liability to
be well understood and defined but avoiding liability altogether
would mean nobody would want the service and is probably 
impossible in any case (courts tend to have a dim view of
'not responsible for any liability' notices.
> After-Sales Support: Almost Zero.

Actually it is quite high and this is one area a CA can add value.
The problem on the consumer side of the business is that you can
end up providing support for random clients.

> Legal Regulation: Almost Zero.

Actually it is becomming quite significant. Utah has a licensing 
scheme which has a number of restrictions a number of CAs may
not be willing to accept. 

I think that your analysis is weak in that it assumes that acting
as the Trusted Third Party is the only value the CA adds. It is
a service that is necessary of course, but the manner in which the
CA delivers that service can add a lot of value.

You have to take account of the changes that have taken
place in the business world over the past ten years. Contracting
out administrative tasks that have traditionally been core is
now commonplace. Businesses contract out payroll, accounting
and many other things that are 'central' to the business.

Also your analysis of 'CAs' as a single entity ignores the
fact that these are not monolithic entities. In practice
there is a registration function that is clerical in
nature and an issuing function which is technical. It makes
sense for companies to outsource the latter part. 

Contracting out administration of an Intranet IA can make a 
lot of sense. The security concerns are no greater than they
are for remote system administration which a lot of big name
companies buy.

Consider the problem of running a very large computer network
using certificate based security. The CA root key becomes much
more critical than any single computer system a normal company
operates. It is a single point of failure for the whole
network. If a company is serious about security it probably
wants that key to be in a very high security bunker somewhere.

A specialist Issuing Authority can support more comprehensive
administration at a lower cost than companies can do for 
themselves. There are ecconomies of scale, instead of everyone
setting up a bunker only those people who need a bunker do

The CA part of the Issuing Authorities business means that in
addition to outsourcing the processing tasks the IA and the 
customer enter into a binding contract concerning the issuing
practices (i.e. the circumstances under which the customer will
register the certificates). This means that the Issuing Authority 
can issue certs under a public hierarchy.

Thus the term CA does not in fact align precisely to what the
CA services companies (i.e. VeriSign) do. The true business of
a CA services company is to provide the Issuing Authority
and practices infrastructure which combined with the work the
company does for themselves (registration) creates a 'CA'.

It is true that the CA has a considerable potential to act
in a fradulent manner. So does Gemplus when it accepts a 
magnetic tape from some bank and creates a few hundred thousand
credit cards to mail to customers. So does De LaRue when it
prints postage stamps, traveller's cheques or banknotes.

All this means is that customers will want a CA services 
company that they can trust - i.e. is big enough that the
temptation to act in a fraudulent manner does not exist since
the cost of damage to the business would be higher. In addition
CA services companies had better implement audit systems that
are transparent and get audited on a regular basis.


Follow-Ups: References: