The jurisdiction problem with making SSL CAs liable for things

December 24, 2010

Suppose that you want to fix the SSL CA racket, so that SSL CAs actually had a motive to do a good job (whatever that means). One vaguely popular approach is to align their economic interests through the traditional tool of liability, so you pass laws that make SSL CAs liable if they issue bad certificates. However, as I've mentioned before, I don't think that this will actually work.

The core problem that I see is jurisdiction, in two forms. The first and most obvious one is your government's jurisdiction over the CAs, since commercial CAs are located all around the world. Even if you persuade your local legal system to allow you to assert jurisdiction over a foreign company on the grounds that it accepts money from your citizens, you're left with the issue of enforcing a court judgement against a company that may well have no assets in your country.

This is important, because successfully imposing liability on all SSL CA vendors is vital. Making a SSL CA liable for things drives up its costs, which means that it's going to have to increase its prices. Given that SSL certificates are a commodity, any non-liable SSL CAs can and will undercut these higher prices, with the net effect of driving CAs in your jurisdiction out of business.

The second part is jurisdiction between the SSL CA vendor and the person wanting a certificate. If something goes wrong and the SSL CA issues a bad certificate, it's quite possible that they have been sold a bill of goods by the certificate purchaser. With the CA on the hook for money via liability, they will clearly want to recover it by turning around and suing the purchaser. If the purchaser is not within the same jurisdiction as the CA, well, the CA now has a problem; the further 'away' the purchaser, the larger the CA's problem.

Even apart from any practical difficulties, making SSL CAs liable for validating the purchaser's identification is likely to result in SSL CAs refusing to sell certificates to foreigners. This will cut down SSL CA competition, often drastically, plus there are large areas of the world that do not have an SSL CA in their country at all.

(The practical difficulties of verifying the identity of someone in another jurisdiction are themselves non-trivial, especially if you assume that some of the would-be certificate purchasers are criminals, willing to lie to you and forge what look like official documents.)

Written on 24 December 2010.
« More on the Unix interpreter startup problem
Garbage-collected languages and memory allocation failures »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Dec 24 01:46:42 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.