I have an idea for a nice "make money fast" business model:
I'll make a CA. I'll talk about trust-worthiness and doing sophisticated
verifications etc.. In my guidelines and processes, I say that I'll
offer "HighSec high security certificates", where I'll get the in-person
signature and passport verification. I'll also define "CheapO" certs,
and say that I'm not actually going to do any verifications whatsoever
for them. (Maybe I won't define CheapO just yet, but in a year.)
I'll get the root cert in the Mozilla roots.
I'll get an audit by KPMG which will verify me just fine that I do
nothing, i.e. follow the guidelines. If the audit is thorough, the
auditor will also let me issue a HighSec cert for himself, and I'll
check his own signature and passport, and he'll see that I verify that -
all fine. The audit costs me, let say, $3000 (one day of work by a KPMG
guy - maximum).
I'll issue both HighSec ($1000) and CheapO certs based on my root cert.
I'll make a simple website with lots of seal graphics and impressive
"high security certification" text, where I sign any key that people
give me, without any verifications whatsoever. I sell them for $5.
That's more than 50% cheaper than popular competitors, and 95% cheaper
than the market leader.
I'll get really popular with web site owners, because I'm real cheap and
fast and unobtrusive. Every webhoster under the sun is my reseller (they
make $1, too), which is part of my success. I cash $$/year. All is fine.
Part of the reason why all is fine is that people are generally careful
before nonsense when their credit card / bank account is involved.
Now, 3 years later, some scammers and spammers actually notice me and
set up fake SSL sites with my certs. (They need the site for a few days
only anyways.) (Before that, they simply haven't bothered about SSL -
why should they?) People notice. I quickly revoke the offending certs,
and say "Oops, sorry. Fixed it. Won't happen again.". Otherwise, I
continue everything as-is. I refer people to my audit above. Still,
people yell for my root to be yanked. I put the "big business, can't do
that" face on.
Some other people, however, say that I don't violate my own guideline,
and that they have no right to put me out of business, and that even if
so, they should not yank my root anyways, because so many websites are
using it.
I smile.
Ben
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
