> >No CA wants to find out what market forces will appear as > >soon as they > >prove to be untrustworthy. There are already many vehicles for > >immediately > >deploying blacklists. For example, Symantec could release an > >update for any > >of their security products that removed a root CA. It wouldn't take more > >than a small percent of web users to have a problem with a CA > >before people > >wouldn't want their certificates to be signed by that CA. > Symantec wouldn't do this. The backlash they would recieve from angry > users alone would be enough to discourage it, nevermind the potential > for legal problems. Then somebody else would. Market demand creates solutions. I can't see how the legal issues are any different from the ones they face when they label software as adware or spyware. > Comparing CA accountability to meat sales isn't a valid analogy. > Obviously, the CAs don't want to be regulated, but trusting them because > of this is a bit like saying that business owners would never short-pay > an employee because of fear of what the employees would do. No, that's not what I'm saying. I'm saying they might do it, and if they do, the mechanisms will appear immediately to fix it. > It's also like saying that corporations never form trusts and price fix > for fear of the consumer. No, they never do so because such strategies only work in very unusual circumstances. Nobody can make a person pay more for something than it is worth. > Obviously, both of these assumptions are wrong and the assumption > regarding CAs is also wrong. The fact that it is assumed in the first > place is *the problem*. I'm not assuming anything, I'm making an argument why it would be self-destructive for any CA to adopt such a strategy. That doesn't mean they won't do it, people certainly do stupid things when they think they can get away with it. But the fact is, CAs can't get away with it. So if they think they can, they will quickly be proven wrong. > Also, the fact that the CA market is competitive only further muddies > the waters. Not all CAs are in the same country and their competition > forces them to be price-competitive. This reduces the priority of being > responsible. Or, to use your meat analogy, mass-produced meat tends to > be of a lower quality than individually produced meat products, > particularly in unregulated countries. I could not disagree more. All a CA has to sell is its trust. The trust is its product. CAs sell trust, they are in the trust business. If a CA loses the trust of browser vendors, it has nothing to sell. If a CA loses the trust of users, pressure will be put on browser vendors. > People who think that the market will inherently protect them have been > reading too much Ayn Rand and need to step away from the > fiction-proposed-as-fact isle. No offense meant by that - it's said > tongue-in-cheek. :) Except that it does. Especially when all a company has to sell is its trust. This is true in many markets where companies have specifically set up to sell trust. You don't see people bribing the MPAA or Consumer Reports. Because such things could not possibly be hidden, and there's an immediate market remedy (stop trusting). DS
