Ian G wrote: > 2. In general, such a group will reject any proposal that appears to > favour one member against another; but they will accept any proposal > that requires the same amount of additional work, and increases the > power of the group. In other words, rejection of internal competition, > promotion of joint franchise power.
Not necessarily. For example, EV could have been said to favour larger CAs (who are able to offer a global service), and CAs which already had the infrastructure in place for doing detailed identity vetting. Yet it was approved. > Instead they need to find a strategy that provides for joint and > individual benefit, in exchange for the work. Commonly, this is (a) > create a brand, (b) sell the brand, (c) compete against other brands, > and (d) deny the brand to non-members. This achieves both group benefit > and individual membership. Well, if you are seeing EV as a brand, then in this case there aren't really other brands to compete against, and they can't deny the brand to non-members, because anyone can take the audits and anyway, EV status is in the gift of the browser manufacturers, not the forum. > 4. What is notable about the above is that at no time or place is the > user or purchaser necessarily brought into the basic structural > economics. This is why (the theory predicts that) such associations > deliver so little to the *user* in comparison to the relatively large > benefit to the incumbents; the economics doesn't require it, and in > fact the economics fights against it, because to share any bounty with > the users adds more complications for the model. Of course. Hence, > marketing is a strong component of all such associations, because there > is a strong need for perception. Except that the CAB Forum does no marketing. > 10. I speak as an interested party of course. My biases are all the > more poignant because the CABForum and its members and criteria directly > and explicitly rule out the activities of myself as an auditor and the > CA I audit. C.f., to join CABForum, you must have a WebTrust audit; Not so; there is a list of acceptable audit criteria. It includes ETSI. But, having commented on those errors of fact, I can't quite see what you are saying apart from "industry standards bodies are bad". Is that it? Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
