RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

["David Schwartz" <davids () webmaster com>]

> > No CA wants to find out what market forces will appear as
> > soon as they
> > prove to be untrustworthy. There are already many vehicles for
> > immediately
> > deploying blacklists. For example, Symantec could release an
> > update for any
> > of their security products that removed a root CA. It wouldn't take more
> > than a small percent of web users to have a problem with a CA
> > before people
> > wouldn't want their certificates to be signed by that CA.

> Symantec wouldn't do this.  The backlash they would recieve from angry
> users alone would be enough to discourage it, nevermind the potential
> for legal problems.

        Then somebody else would. Market demand creates solutions. I can't see how
the legal issues are any different from the ones they face when they label
software as adware or spyware.

> Comparing CA accountability to meat sales isn't a valid analogy.
> Obviously, the CAs don't want to be regulated, but trusting them because
> of this is a bit like saying that business owners would never short-pay
> an employee because of fear of what the employees would do.

        No, that's not what I'm saying. I'm saying they might do it, and if they
do, the mechanisms will appear immediately to fix it.

> It's also like saying that corporations never form trusts and price fix
> for fear of the consumer.

        No, they never do so because such strategies only work in very unusual
circumstances. Nobody can make a person pay more for something than it is
worth.

> Obviously, both of these assumptions are wrong and the assumption
> regarding CAs is also wrong.  The fact that it is assumed in the first
> place is *the problem*.

        I'm not assuming anything, I'm making an argument why it would be
self-destructive for any CA to adopt such a strategy. That doesn't mean they
won't do it, people certainly do stupid things when they think they can get
away with it. But the fact is, CAs can't get away with it. So if they think
they can, they will quickly be proven wrong.

> Also, the fact that the CA market is competitive only further muddies
> the waters.  Not all CAs are in the same country and their competition
> forces them to be price-competitive.  This reduces the priority of being
> responsible.  Or, to use your meat analogy, mass-produced meat tends to
> be of a lower quality than individually produced meat products,
> particularly in unregulated countries.

        I could not disagree more. All a CA has to sell is its trust. The trust is
its product. CAs sell trust, they are in the trust business. If a CA loses
the trust of browser vendors, it has nothing to sell. If a CA loses the
trust of users, pressure will be put on browser vendors.

> People who think that the market will inherently protect them have been
> reading too much Ayn Rand and need to step away from the
> fiction-proposed-as-fact isle.  No offense meant by that - it's said
> tongue-in-cheek.  :)

        Except that it does. Especially when all a company has to sell is its
trust. This is true in many markets where companies have specifically set up
to sell trust. You don't see people bribing the MPAA or Consumer Reports.
Because such things could not possibly be hidden, and there's an immediate
market remedy (stop trusting).

        DS