[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-08 10:10:57

On Thu, Jan 08, 2009 at 08:16:33AM -0600, Eric Gray wrote:
      The notion of merchants and bankers "bearing the burden" is a
great fiction - at least if you're considering them as a group.  In
individual cases, individual merchants/bankers will absorb losses,
but either that means they go out of business (which we see
sometimes) or they survive to defray their losses by charging
consumers more for their products and services.

I didn't say it was a good way to run a railroad --- just as having
more and more people read their news on-line for free, while reporters
are paid via a business model that depends on rapidly diminishing
advertising revenues for print and on-line banner ads, plus the
vanishingly small number of people willing to pay for dead-tree
versions of newspapers is a great way of running things.

But the problem is very similar; if at least in the US, consumers are
used to a model where they only pay for the costs of fraud via a
surcharge which is hidden in the cost of the on-line merchant's
prices, how do you convince them that it is worthwhile to pay for a
trust certification service?  Especially given that a merchant is
still going to have to pay the 3% credit card fee to the credit card
companies, which ends up showing up in the price of goods and/or

      Since the consumer ultimately pays the price in any case,
perhaps a good argument can be made for paying a portion of it up

From a public policy POV, perhaps.  How you actually convince the
consumers, merchants, credit card companies, and the rest of the
system to transition from the current scheme to this new scheme is
much more difficult than writing an RFC, alas.  (And as we all know,
writing and publishing RFC is no guarantee that the market will listen
to us.)

                                                - Ted