[14274] in cryptography@c2.net mail archive
Re: why are CAs charging so much for certs anyway? (Re: End of the line
daemon@ATHENA.MIT.EDU (Ed Gerck)
Wed Sep 24 22:06:29 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 24 Sep 2003 17:40:38 -0700
From: Ed Gerck <egerck@nma.com>
To: cryptography@metzdowd.com
X-Rcpt-To: <cryptography@metzdowd.com>
Yes, there is a good reason for CAs to charge so much for certs.
I hope this posting is able to set this clear once and for all.
FOREWORD: It's often said that a good lawyer should be able to argue
both sides of an issue... Though I am not a lawyer, I believe it is
instructive to see things from all perspectives. My answer may help see
things from the CA side and IMO does not contain any exaggeration.
Of course, to properly answer the question I would need to write a
CA Business Plan, which should contemplate the various pros, cons,
pricing, and contingency plans. However, without daring to use much
time in such a dubious endeavor, let me just briefly discuss the CA
business model in order to better motivate the pricing strategy answer.
1. Product Liability to Clients: Zero.
CAs provide certificates that have zero content, zero warranties,
zero assurances and, hence, zero liability under any law system.
This is a very good point for CAs, and it is difficult to imagine a
legal business that could get to so close to this goal. Perhaps,
chiromancy with consenting adults over a phone line could
be similar, but with a lesser market.
2. Contract Liability to Users: Zero.
Since the certificate's users (ie, historically known as the
relying-parties) are not the ones that paid for the certificate to
the CA (ie, the certificate was paid for by the subscriber), this
means that the CA has no responsiblity or contractual obligation
whatsoever to the certificate's users, hence zero liability.
3. After-Sales Support: Almost Zero.
This is also a very good point. There is no maintenance, set-up,
compatibility or other post-sales questions to worry about. The
product also self-destructs so to say after a period of usually one
year, so there is not even a marginal need to maintain compatible
systems for diagnosis after one year. Regarding the eventual need to
revoke a certificate, here we are forced to say that after-sales
support is "almost zero". However, that is not a serious issue
because certificate revocation has also no warranties or assurances,
hence this freely provided service has no liabilities or obligations
to the CA, not even to be expedite.
4. Product Recall: Zero.
The subscriber cannot send back an issued certificate and decide to
cancel his order because the certificate does not work on the new
Gizmo v4.0 or equivalent browser, or just because it does not like
it any more. Once the product is sold, the revenues are liquid.
5. Technical Regulation: Almost Zero.
Certificates are technically regulated by X.509 but X.509 is very
tolerant on almost all issues except purely syntatic issues which
are handled blindfolded by software. Further, CAs can issue their
very own operating laws (CPS - Certificate Practice Statement)
according to their needs and profit rules. They can define all their
operating parameters.
6. Legal Regulation: Almost Zero.
The CA's CPS must be accepted by the client and the CA can change it
at will, at any moment. Legislation, such as Illinois', already
consider such self-made laws as legally binding in lieu of any
legislation's mandated procedures (see a typical CA CPS).
7. Legal Mandatory Use: Possible.
This is a very positive point for CAs. Legal initiatives may make it
mandatory to use CAs (eg, TTPs) in order to allow certificates to be
deployed. So, CAs would have captive markets in this positive
scenario and the client would not be able to decide not to use a CA.
8. Matched Sales: Strongly Enforced.
A CA can reach profitable agreements with a wide array of partners,
such as financial agents, software producers, content providers,
etc., in order to render its certificates strongly matched to the
partner's products or services. This is easily cryptographically
guaranteed and sounds reasonable when explained to customers. For
example, software producer ACME can easily decide that its product
Gizmo will only accept plug-ins signed by a specific CA -- allowing
several legal avenues for matched sales.
9. Product Price: At Will.
There is no reference in price for an array of 2 Kbytes. It can
range from $5.00 to $500.00 or beyond. Since the market also has to
accept matched sales as a natural procedure in this case, it is not
difficult to organize different product classes so that essentially
the same array of 2 Kbytes can have very profitable margins for
high-end (ie, expensive) applications.
10. Insurance: Paid By The Client.
To cover for those few cases where the CA could still be liable (ie,
gross negligence, employee collusion, fraud, etc.) to its clients,
it is accepted to ask for the client to pay for insurance against
the CA's acts. Since the users have no coverage (they are not part
of the contract and they are not considered innocent bystanders as
with car accidents), such insurance will need to cover only the
client.
PRO SUMMARY: CAs make very good sense as businesses, shareholder's
risk is low and the activities are essentially unregulated. Further, future
legislation cannot impose more burdens because it would be technically
unwarranted.
CON SUMMARY: Of course, the problems of e-commerce are not solved
by the CA business model and the so-called relying-parties must rely on
themselves. Which might point out to a possible technology change over if
such market forces gain momentum, possibly also after a stage of apparent
condescendence.
PRICING STRATEGY: CAs should keep their prices high and find ways
to add price to current products (eg, offering insurance, different
certificate classes, benefits for CRL access, etc.) -- because the potentially
difficult mid-term future of such business impose the need for a large
ROI in a short time. This is probably not a long-term business activity.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com