[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Is there a business for CAs?

On Fri, 10 Apr 1998, Phillip Hallam-Baker wrote:


 NOTE: This discussion is possibly off-topic here if viewed under the
 light of CA's strategy. However, it may be fully on-topic if viewed
 as an "ad absurdum" demonstration that authorizations based on
 "A's estimated reliance regarding B's unsupervised acts on matters
 of x" [1]  has to be centered on the user. 

>> Product Liability to Clients: Zero. 
>> Contract Liability to Users: Zero.
>Actually not the case! 

The early entrants to the CA market are most likely to make a
windfall. As the CA market matures at a rate accelerated by Moore's
law, the industry will realize its limitations and move on to a next
generation solution, leaving the late entrants holding the bag, and a
disproportionate amount of the blame. Then, it will be the case. 

> A CA certainly wants the liability to
>be well understood and defined but avoiding liability altogether
>would mean nobody would want the service and is probably 
>impossible in any case (courts tend to have a dim view of
>'not responsible for any liability' notices.

"well-defined" is the right word. Well-defined to be zero... and it
would be suicidal otherwise. So, Verisign`s CPS is correct... not
promising what it can't deliver was IMO Verisign's best strategy.

As clearly exemplified in the CPS warranty disclaimer, second and
third sentences:  "...MAKES NO REPRESENTATION ..." and "...MAKES NO

BTW, how many CAs are accepting Utah's conditions of increased
mandatory liability? More importantly, how many subscribers are
accepting Utah's conditions of difficult non-repudiablity when not
even US's Pentagon computers are safe from bored high-school
students and a few comments from an under-age Israeli boy? 

>> After-Sales Support: Almost Zero.
>Actually it is quite high and this is one area a CA can add value.
>The problem on the consumer side of the business is that you can
>end up providing support for random clients.

Starting from zero, anything can be quite high. However, if I can
judge by the all too common basic questions in discussion lists,
users are essentially gropping in the dark regarding even basic
questions such as "what does a X.509 certificate warrant?". If you
read Verisign's own CPS you will also notice that is is the
*subscriber's*  responsibility to insure his own security.

Possibly, the subscriber can also pay the CA for help, but that is
included in my final recommendations for CAs, as posted:

"Thus, as a final comment, CAs should keep their prices high and find
ways to add price to current products (eg, offering insurance,
different certificate classes, benefits for CRL access, etc.) --
because the potentially difficult mid-term future of such business
impose the need for a large ROI in a short time."

>> Legal Regulation: Almost Zero.
>Actually it is becomming quite significant. Utah has a licensing 
>scheme which has a number of restrictions a number of CAs may
>not be willing to accept. 

Exactly my point -- "a number of CAs may not be willing to accept" 
such restrictions. And, they don't have to. Such legislation is
self-defeating -- why would a CA open shop in Utah when it can do so
in Illinois?

>I think that your analysis is weak in that it assumes that acting
>as the Trusted Third Party is the only value the CA adds. It is
>a service that is necessary of course, but the manner in which the
>CA delivers that service can add a lot of value.

If the main purpose of a CA is to issue a certificate that can be
relied upon by the subscriber (a CA client) and by any number of
users (not CA clients) and if my analysis (as it does) centers itself
exactly on the verification of the business viability of such purpose
from the CA side ...  then you may call it biased, but not weak. For
the other side of the story you can read
http://www.mcg.org.br/cert.htm -- so, the full picture is there, both

Further, my analysis includes ten key points, mostly taken verbatim
from any book you may find on the topic "How to write Good Business

>You have to take account of the changes that have taken
>place in the business world over the past ten years. Contracting
>out administrative tasks that have traditionally been core is
>now commonplace. Businesses contract out payroll, accounting
>and many other things that are 'central' to the business.

I beg your pardon, that has nothing to do with defending a model that
leave clients and users with just empty hands. Outsourcing is a
requirement of down-sizing, not of empty-sizing. Signing company
checks cannot be well outsourced, as well as signing the company's

If you want to raise the issue that both CA's clients and certificate
users are better off using the CA's services, then ... see it not
from the CA side but from the users' side .. who are not CA clients
in any way but are usually clients of the CA's client, hence with a
liability link from the CA's clients to them but which is not
reflected in the certificate's CA services.

>All this means is that customers will want a CA services 
>company that they can trust - i.e. is big enough that the
>temptation to act in a fraudulent manner does not exist since
>the cost of damage to the business would be higher. In addition
>CA services companies had better implement audit systems that
>are transparent and get audited on a regular basis.

Please see the case of General Motors against veritable and
trustworthy almost 70-year old Volkswagen, last year, when Volkswagen
agreed to pay a fine in excess of US$ 1,1 billion (no mistake,
billion) dollars for untrustworthy industrial espionage acts. Which
VW's top brass went on record saying that was worth it ... 

The question is not IF a CA is 100% reliable (which nothing is) but
whether the clients and users have anything to grasp...




[1] ie, A trusts B on matters of x -- to use that pesky but shorter word.
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---