[cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Ian G iang at iang.org
Tue Sep 6 14:10:42 EDT 2011

On 7/09/11 3:03 AM, Gervase Markham wrote:
>> 2) the lack of CA advertising in the chrome.
> This is an old argument, and my position remains:

Yes, and yes :)

> there is no way we are
> ever going to get average users to pay attention to CA branding,

I've watched TV so I know what an advert is ;)  I doubt anyone who 
actually knows anything about the science of brand management, 
advertising or economics would agree with you [0] [1].

Firstly, we don't need all to pay attention right now, we just start 
with a few users.  1% can guard the 99%, if it is easy.  National 
branding helps a lot in this (and is aligned with jurisdiction in a way 
that the PKI is currently opposed to jurisdiction), as the DigiNotar 
issue would have exposed.

Secondly, each CA is incentivised to make it work, we don't need to 
worry about it.  One of the few bright spots for new CAs would be the 
ability of small players to create their own brand, which is a critical 
diversification strategy for a new entrant.  Denied under current structure.

> and if
> by some amazing effort we managed it, it would just entrench the
> position of the top 2 or 3 CAs.

Thirdly, *the top 2 or 3 CAs are entrenched* .  History, and various 
reports show and have shown [2].  This outcome is amply explained by a 
Porter's 5 forces analysis [3].

Fourthly, your position amounts to industrial policy which is not part 
of Mozilla's principles [5].

> You class either of these as 'trivial'? Both are large engineering and
> political challenges.

Both can be done with browser plugins.  Get behind them ;)


[0] While I have studied marketing at masters level, I'm not a 
specialist enough in marketing to be able to scientifically demolish it.

[1]  For those looking to be disabused of this ignorance, I highly 
recommend _The Gruen Transfer_, a TV show on advertising.


[2] Netscape, SecuritySpace.

[3] Which I will claim a fair bit more confidence in :)

[5] And falls to the law of unintended consequences (the usual fate of 
governments meddling in economies) because it works for the entrenched 
incumbents.  Or, more cynically, any attempt at meddling with the 
economy is directed by the entrenched incumbents.  Because they are the 
experts, right?  Can you say "industry body was consulted?"

More information about the cryptography mailing list