[cryptography] How much does it cost to start a root CA ?

Ryan Sleevi ryan+cryptography at sleevi.com
Fri Jan 4 17:05:48 EST 2013

On Fri, January 4, 2013 12:59 pm, Greg Rose wrote:
>  You could ask the folks at CAcert... I imagine Ian Grigg will also chime
>  in. Certification costs a lot, and as you have observed, the incumbents
>  try very hard to keep you out. Despite some reasonable sources of funding,
>  CAcert still didn't succeed.
>  Greg.

Can you explain how, exactly, incumbents leverage any power to keep new
entrants out?

The policies are set by the browsers/root store operators - not CAs.

Microsoft -
Apple - http://www.apple.com/certificateauthority/ca_program.html
Mozilla - http://www.mozilla.org/projects/security/certs/policy/
Opera - http://www.opera.com/docs/ca/

Consistent among them is that they require a WebTrust or ETSI audit -
audits which were designed to reflect the collective shared policies of
the browsers. Not collective action by CAs.

More recently, the browsers have begun to increase the minimum
requirements they expect of their root store participants, in light of
several prominent failures. These are memorialized in the CA/Browser
Forum's Baseline Requirements (
https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were
driven by browsers seeking to find a consistent, common agreement about
the requirements of their members.

CACert's failures have nothing to do with the actions of any incumbent CA,
but through an inability so far to meet the requirements set forth by the
browser programs they were seeking to be included in. Even Ian has
attested that Mozilla's policy is both clear and fair in this regard.

Additionally, there are not, as the original poster suggested, only 30
root CAs. This can be trivially discovered by examining the lists of CAs
included in these programs - which are all public.

Mozilla - http://www.mozilla.org/projects/security/certs/included/
Microsoft -
Apple -
(OS X 10.8.2)
Opera - http://my.opera.com/rootstore/blog/

A lot of speculation on this thread, but the answers are readily and
trivially available.


>  On 2013 Jan 4, at 11:41 , John Case wrote:
> >
> > Let's assume hardware is zero ... it's a really variable cost, so I
> > assume (correct me if I'm wrong) that it is a trivial cost compared to
> > legal and audit costs, etc.
> >
> > So what does it cost to start a root CA, get properly audited (as I see
> > the root CAs are) and get yourself included into, say, firefox or chrome
> > ?
> >
> > A followup question would be:
> >
> > Is inclusion of a root CA in the major browsers a "shall issue" process
> > ? hat is, you meet the criteria and you get in ?  Or is it a subjective,
> > political process ?
> >
> > Finally, it seems to me that since there re so few root CAs (~30 ?) and
> > the service provided is such an arbitrary, misunderstood one, that
> > existing CAs would be actively trying to prevent new entrants ... and
> > establish themsevles as toll collectors with a pseudo monopoly ... what
> > evidence (if any) do we have that they are pursuing such an ecosystem ?
> >
> > Thank you.
> > _______________________________________________
> > cryptography mailing list
> > cryptography at randombit.net
> > http://lists.randombit.net/mailman/listinfo/cryptography
>  _______________________________________________
>  cryptography mailing list
>  cryptography at randombit.net
>  http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list