[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Not a good idea...



> If SurfWatch can be sued for a "bad review," then Siskel and Ebert had
> better find a new line of work.

I might be stretching things a bit, but couldn't you call a CA a "review 
service"?  Essentially instead of having a banned list, you have an 
"accepted list".

Right now, CAs seem to be all using the same narrow critera for putting 
someone on the accepted list -- knowledge about the identity of someone 
running the site.

If CAs are liable, then why not SurfWatch?  Or better yet, if SurfWatch 
isn't liable, then why should a CA be?

The problem of liability is a real one, at least with a protocol like
X.509.  Sites need to have certs to interoperate with the rest of the
world, and CAs seem to expose themselves to liability by issuing certs. 
That means that certs are going to cost money, or at least more than they
would otherwise.  And that could have a chilling effect on the widespread
deployment of crypto.

As was recently pointed out in another context, security is economics, 
and anything that adds cost to security means less security for 
everyone.  I think in general we ought to oppose laws which expand 
liability for things people do online;  liability can almost be viewed as 
another form of regulation.  A judgment against a tobacco company would 
probably have the same effect as an outight ban on cigarettes.

What's more, protocols which force authentiion on people who might only
want or need encryption aren't good.  With liability figured in
authentication costs a lot more money than basic encryption.  Say what 
you want about patents, the other main hurdle standing between us and 
really free crypto, but if we're willing to wait, they'll go away.

Our goal ought to be totally free access to crypto tools without legal
interferrence, cost (even for commercial applications), incompatibility
with dominant standards, or risk of liability.