[cryptography] Math corrections

Ian G iang at iang.org
Sun Sep 18 23:52:38 EDT 2011

Hi Joe,

On 19/09/11 5:30 AM, Joe St Sauver wrote:
> Ian asked:
> #Right -- how to fix the race to the bottom?
> Wasn't that supposed to be part of the Extended Validation solution?

In a way, it was.  More particularly it was the fix to certificate 
manufacturing.  The "obvious" fix to low quality was to create high quality.

Of course, it didn't work out that way.  DigiNotar was an EV, as were 
most of the others that were hacked.  What EV did then was to create two 
products, both with their individual race to the bottom.

So there is an underlying cause that they didn't address.

> If it has failed at that, and I could see arguments either way, the
> other "natural" solution is probably government regulation.

Which would come up with approximately the EV solution proposed.  It 
always does.  And, independent assessments of before and after 
government intervention generally show that the situation isn't any 
better for the original motivation, but it is more expensive.  And we 
know who to complain to.  So noise increases.

The fundamental flaw with government intervention is this:  they don't 
know any better.  So they ask the incumbents what to do.  The incumbents 
tell them how they can help them to make money.  So the government puts 
in a design that helps the incumbents to make money.

(In econ theory this is called barriers to entry.  Typically, the 
incumbents all agree on something that (a) raises prices together and 
(b) makes it hard for small nimble competitors to cherry pick.)

> It likely
> wouldn't be pretty, but imagine:
> -- governmental accreditation of CAs (instead of, or in addition to,
>     browser vendor/CAB reviews)

QC has that, which is DigiNotar's regime.

> -- governmental minimum price points for regulated products (thereby
>     eliminating the race to the bottom, or competition on pricing in
>     general)

price controls lol...

> -- potentially government required insurance bonds, protecting the
>     public against negligence or malfeasance

EV has that.  If you know anything about the insurance market, it makes 
for hilarious reading as it gave Verisign a free pass, and forced all 
the others to pay for it.

(However, the trick to understanding it is this:  it is structured such 
that there will be no payout.)

> -- governmental audits/reviews of CA compliance


> -- pressure on third parties to make sure that PCI-DSS and similar
>     regulations mandate use of government approved CAs, only

?  Did that help?

> Of course, this may be one of those "Be careful what you wish for"
> scenarios, eh?

Yeah.  None of that will help any.  But it will certainly raise costs. 
So you'll get agreement from the large players.


More information about the cryptography mailing list