Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
David Schwartz wrote:
Then somebody else would. Market demand creates solutions. I can't see
how
the legal issues are any different from the ones they face when they label
software as adware or spyware.
Wow. You just conceded that there is significant pressure on major
vendors to not counter the CA, and then claimed that some ethereal other
would magically be able to enforce it where Symantec couldn't.
Market demand sometimes does create solutions, however to claim that it
does without fail is a bit naive.
So, if not Symantec, then who else do you propose would?
t's also like saying that corporations never form trusts and price fix
for fear of the consumer.
No, they never do so because such strategies only work in very unusual
circumstances. Nobody can make a person pay more for something than it is
worth.
History disagrees with you. So do a number of economists.
I'm not assuming anything, I'm making an argument why it would be
self-destructive for any CA to adopt such a strategy. That doesn't mean they
won't do it, people certainly do stupid things when they think they can get
away with it. But the fact is, CAs can't get away with it. So if they think
they can, they will quickly be proven wrong.
It would harm them, yes, but they very well can get away with it.
Also, the fact that the CA market is competitive only further muddies
the waters. Not all CAs are in the same country and their competition
forces them to be price-competitive. This reduces the priority of being
responsible. Or, to use your meat analogy, mass-produced meat tends to
be of a lower quality than individually produced meat products,
particularly in unregulated countries.
I could not disagree more. All a CA has to sell is its trust. The trust
is
its product. CAs sell trust, they are in the trust business. If a CA loses
the trust of browser vendors, it has nothing to sell. If a CA loses the
trust of users, pressure will be put on browser vendors.
It's interesting how you cite market dynamics in your arguments, but
disregard them when they aren't favorable to your point.
If hundreds of thousands of sites use a particular CA as their root,
then removing the CA trust from the browser will cause an annoyance for
the browser consumer, resulting in 1 of 2 possible outcomes:
1) People learn to modify their configs and setup the CA as trusted.
2) People move to browsers that trust that CA by default.
The only way that a CA can lose the trust of the browser users is if the
browser users understand how the CAs work and understand how to put
pressure on the browser market to achieve that end result.
Again, we get back to the fact that most end users (browser market
customers) can barely turn on their PCs, nevermind understand or care
about CA trust relationships. You have to put yourself into that
position and think like they do before you should ever propose a
pie-in-the-sky market solution to something like this.
People who think that the market will inherently protect them have been
reading too much Ayn Rand and need to step away from the
fiction-proposed-as-fact isle. No offense meant by that - it's said
tongue-in-cheek. :)
Except that it does. Especially when all a company has to sell is its
trust. This is true in many markets where companies have specifically set up
to sell trust. You don't see people bribing the MPAA or Consumer Reports.
Because such things could not possibly be hidden, and there's an immediate
market remedy (stop trusting).
There are millions of people out there who don't trust the MPAA or the
RIAA, for that matter. Not having the trust of the people hasn't
stopped them. Again, you've chosen a very poor example.
The market does not inherently protect people. Anyone who believes that
is reality impaired and doesn't have a very good understanding of
history nor economics.
-Barry