[cryptography] Math corrections
iang at iang.org
Sun Sep 18 23:52:38 EDT 2011
On 19/09/11 5:30 AM, Joe St Sauver wrote:
> Ian asked:
> #Right -- how to fix the race to the bottom?
> Wasn't that supposed to be part of the Extended Validation solution?
In a way, it was. More particularly it was the fix to certificate
manufacturing. The "obvious" fix to low quality was to create high quality.
Of course, it didn't work out that way. DigiNotar was an EV, as were
most of the others that were hacked. What EV did then was to create two
products, both with their individual race to the bottom.
So there is an underlying cause that they didn't address.
> If it has failed at that, and I could see arguments either way, the
> other "natural" solution is probably government regulation.
Which would come up with approximately the EV solution proposed. It
always does. And, independent assessments of before and after
government intervention generally show that the situation isn't any
better for the original motivation, but it is more expensive. And we
know who to complain to. So noise increases.
The fundamental flaw with government intervention is this: they don't
know any better. So they ask the incumbents what to do. The incumbents
tell them how they can help them to make money. So the government puts
in a design that helps the incumbents to make money.
(In econ theory this is called barriers to entry. Typically, the
incumbents all agree on something that (a) raises prices together and
(b) makes it hard for small nimble competitors to cherry pick.)
> It likely
> wouldn't be pretty, but imagine:
> -- governmental accreditation of CAs (instead of, or in addition to,
> browser vendor/CAB reviews)
QC has that, which is DigiNotar's regime.
> -- governmental minimum price points for regulated products (thereby
> eliminating the race to the bottom, or competition on pricing in
price controls lol...
> -- potentially government required insurance bonds, protecting the
> public against negligence or malfeasance
EV has that. If you know anything about the insurance market, it makes
for hilarious reading as it gave Verisign a free pass, and forced all
the others to pay for it.
(However, the trick to understanding it is this: it is structured such
that there will be no payout.)
> -- governmental audits/reviews of CA compliance
> -- pressure on third parties to make sure that PCI-DSS and similar
> regulations mandate use of government approved CAs, only
? Did that help?
> Of course, this may be one of those "Be careful what you wish for"
> scenarios, eh?
Yeah. None of that will help any. But it will certainly raise costs.
So you'll get agreement from the large players.
More information about the cryptography