[cryptography] [SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
iang at iang.org
Tue Sep 6 14:10:42 EDT 2011
On 7/09/11 3:03 AM, Gervase Markham wrote:
>> 2) the lack of CA advertising in the chrome.
> This is an old argument, and my position remains:
Yes, and yes :)
> there is no way we are
> ever going to get average users to pay attention to CA branding,
I've watched TV so I know what an advert is ;) I doubt anyone who
actually knows anything about the science of brand management,
advertising or economics would agree with you  .
Firstly, we don't need all to pay attention right now, we just start
with a few users. 1% can guard the 99%, if it is easy. National
branding helps a lot in this (and is aligned with jurisdiction in a way
that the PKI is currently opposed to jurisdiction), as the DigiNotar
issue would have exposed.
Secondly, each CA is incentivised to make it work, we don't need to
worry about it. One of the few bright spots for new CAs would be the
ability of small players to create their own brand, which is a critical
diversification strategy for a new entrant. Denied under current structure.
> and if
> by some amazing effort we managed it, it would just entrench the
> position of the top 2 or 3 CAs.
Thirdly, *the top 2 or 3 CAs are entrenched* . History, and various
reports show and have shown . This outcome is amply explained by a
Porter's 5 forces analysis .
Fourthly, your position amounts to industrial policy which is not part
of Mozilla's principles .
> You class either of these as 'trivial'? Both are large engineering and
> political challenges.
Both can be done with browser plugins. Get behind them ;)
 While I have studied marketing at masters level, I'm not a
specialist enough in marketing to be able to scientifically demolish it.
 For those looking to be disabused of this ignorance, I highly
recommend _The Gruen Transfer_, a TV show on advertising.
 Netscape, SecuritySpace.
 Which I will claim a fair bit more confidence in :)
 And falls to the law of unintended consequences (the usual fate of
governments meddling in economies) because it works for the entrenched
incumbents. Or, more cynically, any attempt at meddling with the
economy is directed by the entrenched incumbents. Because they are the
experts, right? Can you say "industry body was consulted?"
More information about the cryptography