|
PRIVACY Forum Archive Document
|
PRIVACY Forum Digest Tuesday, 21 December 1999 Volume 08 : Issue 21
(http://www.vortex.com/privacy/priv.08.21)
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
Cable & Wireless USA, Cisco Systems, Inc.,
and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
BULLETIN: Public Key Competition on the Web Goes POOF?
(Lauren Weinstein; PRIVACY Forum Moderator)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 08, ISSUE 21
Quote for the day:
"You can take my word for it. There'll be no war."
-- Charles Foster Kane (Orson Welles)
"Citizen Kane" (Mercury/RKO; 1941)
----------------------------------------------------------------------
Date: Tue, 21 Dec 99 10:17 PST
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: BULLETIN: Public Key Competition on the Web Goes POOF?
Greetings. Various pundits have been declaring that the time had come for
widespread adoption of public key systems for the encryption and
verification of all manner of documents and transactions in both private and
public venues. Now comes the startling announcement that effective
competition in the critical "Certification Authority" business, crucial to
the operation of the Public Key Infrastructure (PKI) on the Web as it's now
structured, may apparently vanish, at least as far as most Web server
operators and browser users are concerned.
This further complicates a situation which already had been raising eyebrows
in many quarters. While it can be argued that digital certificates are not
the only mechanism suitable for providing PKI services, and that they are in
respects inadequate (see http://www.csl.sri.com/neumann/insiderisks.html for
new "CACM" articles expressing these views), the bottom line is that for the
foreseeable future you need these certificates for most PKI on the Web.
The announcement that VeriSign, Inc. (http://www.verisign.com), the largest
provider of digital certificates for PKI operations, is purchasing the
second largest provider, Thawte, Inc. (http://www.thawte.com), for stock
worth more than half a billion dollars, will mean that in the Web world,
VeriSign will control virtually the entire PKI certification business.
Since Thawte generally undercut VeriSign in terms of pricing, it's hard to
view this transaction as other than an apparent effort by VeriSign to close
down the competition.
While both companies in their press releases and announcements have stressed
the "benefits to consumers" that would result from this consolidation, it's
hard to find other examples of cases where consumers were advantaged by two
companies, each with approximately 50% market share, combining to form one
company with virtually a 100% share. Such a state of affairs would be
intolerable in most important business sectors.
As I mentioned above, there had already been questions raised about the
state of affairs regarding such certification authorities. Most Web users'
main contact with PKI is through the "SSL" system that is usually used to
encrypt financial transactions and purchases over the Web. An awful lot
goes on to make that little lock icon close on your screen, and key to this
process are the "digital certificates" issued by companies such as VeriSign
and Thawte. These certificates allow the entire public key encryption
system to operate.
In theory, any Web user could accept a certificate from any source, and
there are many firms and even individuals that do issue such certificates.
However, the process of accepting and installing these certificates can be
confusing and a bit scary to many users, so in practice the vast majority of
transactions take place using the pre-installed certificates in the common
Web browsers. And of the various firms that are pre-installed, only
VeriSign (whose certificates read as "RSA Data Security") and Thawte have any
significant working market share, so the entire universe of Web
server/browser certificates is basically split between them. Interestingly,
Thawte may become the leading browser certificate authority on 1 Jan 2000,
when some browsers with VeriSign certificates will face "root" certificate
expiration, which will no doubt be incorrectly viewed by many users as a Y2K
bug...
Lack of real competition in this segment of the PKI market is bad news for
businesses, governments, and consumers. To many observers, even before this
announcement, it was already unclear why this market in the Web world was so
tiny, and why the pricing for digital certificates, which buyers are usually
forced to renew annually, are priced at such relatively high levels.
For users to have confidence in public key systems, which are now being
heavily promoted by commercial firms and governmental entities, it's
absolutely necessary that viable competition exists in this area. The
questions concerning the current state of affairs that brought us to this
juncture need to be answered with all due haste.
--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy
------------------------------
End of PRIVACY Forum Digest 08.21
************************
Copyright © 2005 Vortex Technology. All Rights Reserved.