CAs should invest heavily in security (theoretically), as well as fully rely on consumer confidence, that is, they have a very high risk in their business model (theoretically). They should conduct rigorous audits (theoretically) and quickly and efficiently handle security incidents (theoretically). They need to develop impeccable consumer-oriented software (theoretically), provide high-availability services (theoretically), and ensure that they adequately verify everyone they supply (theoretically). They should also remain abbreviated from all recent PKI studies (theoretically). In addition, many trust issuers also offer a certain level of insurance services if the certificate implies that trust fails anyway.
So, in theory, there are many good reasons why this can be expensive. There are significant costs associated with starting a CA. In fact, since these practices are haphazardly followed, and the entire PKI SSL / TLS model is fully focused on corporate monopolies, you will find that margins are so obscene that they are practically licensed to print money. People are forced to pay large sums for certificates that generally do not meet these guarantees.
Large CAs can get away from it because they created a political situation in which they are necessary and are not taken into account, because they are "too big to fail." In the case of SSL browsers, they depend on trust in the CA, because many web servers and their end users (i.e. browser users) use their services. To remove a CA (however legitimate it would be), it would violate a lot of users who would not understand why a certain percentage of their secure sites (such as banks, shops, etc.) are no longer trusted. In this sense, the PKI SSL / TLS model does not work. Users do not trust these services, so unload the responsibility for issuing trusted rights to browsers that transfer this to the CA, but then the browsers cannot revoke this trust because they will be punished by users - therefore, the CAs can do what they like.
In the case of code signing, this often simply turns existing monopolies into further profit. In some cases, they have a high supply. Others, such as Microsoft, are relatively low and reflect the significant cost of hiring an expert to conduct a thorough audit, and the rest of the departments that control code signing work (for example, website, support, etc.). Since the benefits of ensuring that code signatures work as intended are high for Microsoft, they donโt care about making a profit from the certificate act. Cost reflects the fact that they conduct a thorough, meaningful audit and make genuine promises the trust that reflects their business.
Rushyo
source share