t byfield on Thu, 23 Dec 1999 04:37:02 +0100 (CET) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> PRIVACY Forum Digest: Public Key Competition on Web Goes POOF? |
----- Forwarded Date: Tue, 21 Dec 1999 14:06:53 -0800 From: PRIVACY Forum <privacy@vortex.com> Subject: PRIVACY Forum Digest V08 #21 To: PRIVACY-Forum-List@vortex.com PRIVACY Forum Digest Tuesday, 21 December 1999 Volume 08 : Issue 21 (http://www.vortex.com/privacy/priv.08.21) Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS BULLETIN: Public Key Competition on the Web Goes POOF? (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 21 Quote for the day: "You can take my word for it. There'll be no war." -- Charles Foster Kane (Orson Welles) "Citizen Kane" (Mercury/RKO; 1941) ---------------------------------------------------------------------- Date: Tue, 21 Dec 99 10:17 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: BULLETIN: Public Key Competition on the Web Goes POOF? Greetings. Various pundits have been declaring that the time had come for widespread adoption of public key systems for the encryption and verification of all manner of documents and transactions in both private and public venues. Now comes the startling announcement that effective competition in the critical "Certification Authority" business, crucial to the operation of the Public Key Infrastructure (PKI) on the Web as it's now structured, may apparently vanish, at least as far as most Web server operators and browser users are concerned. This further complicates a situation which already had been raising eyebrows in many quarters. While it can be argued that digital certificates are not the only mechanism suitable for providing PKI services, and that they are in respects inadequate (see http://www.csl.sri.com/neumann/insiderisks.html for new "CACM" articles expressing these views), the bottom line is that for the foreseeable future you need these certificates for most PKI on the Web. The announcement that VeriSign, Inc. (http://www.verisign.com), the largest provider of digital certificates for PKI operations, is purchasing the second largest provider, Thawte, Inc. (http://www.thawte.com), for stock worth more than half a billion dollars, will mean that in the Web world, VeriSign will control virtually the entire PKI certification business. Since Thawte generally undercut VeriSign in terms of pricing, it's hard to view this transaction as other than an apparent effort by VeriSign to close down the competition. While both companies in their press releases and announcements have stressed the "benefits to consumers" that would result from this consolidation, it's hard to find other examples of cases where consumers were advantaged by two companies, each with approximately 50% market share, combining to form one company with virtually a 100% share. Such a state of affairs would be intolerable in most important business sectors. As I mentioned above, there had already been questions raised about the state of affairs regarding such certification authorities. Most Web users' main contact with PKI is through the "SSL" system that is usually used to encrypt financial transactions and purchases over the Web. An awful lot goes on to make that little lock icon close on your screen, and key to this process are the "digital certificates" issued by companies such as VeriSign and Thawte. These certificates allow the entire public key encryption system to operate. In theory, any Web user could accept a certificate from any source, and there are many firms and even individuals that do issue such certificates. However, the process of accepting and installing these certificates can be confusing and a bit scary to many users, so in practice the vast majority of transactions take place using the pre-installed certificates in the common Web browsers. And of the various firms that are pre-installed, only VeriSign (whose certificates read as "RSA Data Security") and Thawte have any significant working market share, so the entire universe of Web server/browser certificates is basically split between them. Interestingly, Thawte may become the leading browser certificate authority on 1 Jan 2000, when some browsers with VeriSign certificates will face "root" certificate expiration, which will no doubt be incorrectly viewed by many users as a Y2K bug... Lack of real competition in this segment of the PKI market is bad news for businesses, governments, and consumers. To many observers, even before this announcement, it was already unclear why this market in the Web world was so tiny, and why the pricing for digital certificates, which buyers are usually forced to renew annually, are priced at such relatively high levels. For users to have confidence in public key systems, which are now being heavily promoted by commercial firms and governmental entities, it's absolutely necessary that *viable* competition exists in this area. The questions concerning the current state of affairs that brought us to this juncture need to be answered with all due haste. --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ End of PRIVACY Forum Digest 08.21 ************************ ----- Backwarded # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net