On 30/12/08 23:25, Gervase Markham wrote:
Ian G wrote:
... nor to
resist the trap of increasing work loads and complexity, and reducing
availability and delivered security.
I am having trouble extracting meaning from that last sentence.
In mostly general terms:
1. When any industry group of peers forms, they will be thinking of how
they work as a model, what the representative member does, and how it
makes money. They will as a group reject any project that reduces their
own overall apparent position. They will as a group favour any proposal
that increases their own overall position.
2. In general, such a group will reject any proposal that appears to
favour one member against another; but they will accept any proposal
that requires the same amount of additional work, and increases the
power of the group. In other words, rejection of internal competition,
promotion of joint franchise power.
3. Because of the game theory that goes on here, they are likely to
adopt unified proposals that accept more work, as long as the result is
an increase in the power of the group *and* they all benefit
individually. So for example, we can conclude that the group would not
simply document the standard and insist that everyone follow it, because
that creates only downside for them, individually and as a group. That
is, more work, not necessarily any more sales.
Instead they need to find a strategy that provides for joint and
individual benefit, in exchange for the work. Commonly, this is (a)
create a brand, (b) sell the brand, (c) compete against other brands,
and (d) deny the brand to non-members. This achieves both group benefit
and individual membership.
4. What is notable about the above is that at no time or place is the
user or purchaser necessarily brought into the basic structural
economics. This is why (the theory predicts that) such associations
deliver so little to the *user* in comparison to the relatively large
benefit to the incumbents; the economics doesn't require it, and in
fact the economics fights against it, because to share any bounty with
the users adds more complications for the model. Of course. Hence,
marketing is a strong component of all such associations, because there
is a strong need for perception.
5. Hence: *any association of one sector alone* is considered to be an
"anti-trust" issue on the face of it. The economics are clearly against
the interests of other parties. I know some will find this offensive;
I can only stress that this is well known and standard in the regulatory
field, where serious money is on the table, and the regulators can
afford to employ economists who look at these structures.
6. This structure then is widely rejected where competition works to
regularly surface solutions (and standards come after competitive
success). It only tends to work where there are network effects, such
as found in the Internet. However, this doesn't change the economics,
it just creates a counterbalancing benefit that overweighs the losses,
at some point.
7. Once in place and powerful, there is then the obvious trap. Work
and complexity will increase. As a result, or perhaps as the point, the
cost rises to the end-user. Which necessarily raises the bar for
delivery of the product, which means less people get them, and smaller
competitors are forced out [1].
Applying to certs, unless each higher-priced product pays off in
increased protection, there is a reduction in overall security. This is
fairly simple maths, and it applies right now because we still live in
times where the difference between the alternates is practically
negligable (notwithstanding marketing etc). It would change
dramatically if we saw actual damages. (E.g., Mozilla is absolutely
right to insist on continued delivery of the bottem-end certs, for this
reason.)
8. So there are two clear challenges for any association of suppliers,
where the peers might act against the interests of their buyers:
a. One is to address the anti-trust economics equation. One simple
mistake: Words and marketing don't do it, except in rare circumstances
(e.g., notably for students of anti-trust, diamonds / de Beers is the
classic case). For normal goods, words are not enough. Actions are
needed, e.g.:
* totally open membership
* totally open forum discussions
* buyer voice in decisions.
* create partnerships with the buyer organisations.
* testable mission statements.
b. A second is to avoid the trap of overwork. Think of it like a drug;
the work increases, the short term benefits improve for the
*incumbents*, so everything is good. We can do that again and again,
and will do so, the more power we have. However at some stage the
system breaks. For example, if we look at Sarbanes-Oxley and other
increased audit regimes popular over the last decade, they have
basically killed the foreign IPO market in New York; the foreign new
listings have moved to London, and some large companies are working to
delist from NYSE/nasdaq because of these unappetising work loads.
(And, now, the jaws of the trap close: compare the Sarbanes-Oxley
overwork / overpay bounty shared by the auditors to the *benefit to the
public*! The audit profession as a whole has some explaining to do.)
9. Applying all that to CABForum, it would seem to fall short. This is
no surprise, the organisation is young, and is basically coming from a
protected, insured culture, never really challenged. The past was
"money in the bank." The future will be more precisely about evidence
of economic security, not just brochures.
9.b And, this represents a very special challenge to Mozilla because of
its commitment to open organisations, open standards, open process.
10. I speak as an interested party of course. My biases are all the
more poignant because the CABForum and its members and criteria directly
and explicitly rule out the activities of myself as an auditor and the
CA I audit. C.f., to join CABForum, you must have a WebTrust audit; I
don't do WebTrust audits because of <old></debate>. CAcert, the CA I
audit, are like Mozilla, more aligned to open processes and slowly
adopting a totally open model [2], and do not demand a WebTrust.
Either way, our biases may or may not be clear, and we will all fight
out. But the economics will dominate in the end, and tell us what the
future winners will be doing.
iang
[1] It is always the temptation or intent of the supplier to raise
prices; where this happens in an industry association context, the term
of art is _barriers to entry_. Interested readers should google on
Porter's "5 forces".
[2] Some may dispute this, so an update / advocacy: CAcert was a
closed, confidential operation in the old days. That has changed. A
big decision last 2007 was to make everything generally open. All
decisions are published. Source is now under GPL. Last month they were
deciding to make even the private board mailing list open, and the same
with sysadm lists. It's slow, but it is happening.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
