[cryptography] How much does it cost to start a root CA ?

Ryan Sleevi ryan+cryptography at sleevi.com
Fri Jan 4 18:31:55 EST 2013


On Fri, January 4, 2013 3:06 pm, James A. Donald wrote:
>  On 2013-01-05 8:05 AM, Ryan Sleevi wrote
> > Can you explain how, exactly, incumbents leverage any power to keep new
> > entrants out?
>
>  Such behavior is necessarily a deviation from official truth, from the
>  way certification is supposed to work, thus the only way to observe such
>  behavior would be if emails leaked, as in the climategate files where we
>  saw how peer review actually worked..
>
>  Analogously, regulators, financial audits and ratings agencies were
>  supposed to ensure that banks only invested in safe stuff.  When the
>  proverbial hit the fan, it became apparent that regulators, financial
>  audits and ratings agencies in practice ensured that banks only invested
>  in politically correct stuff, but no one can explain how, exactly, this
>  happened - well it is pretty obvious how it happened, and one can make a
>  pretty good guess how it happened, but there is no direct official
>  evidence as to how it happened.

While I appreciate a good bit of paranoia and tin-foil hat wagging as much
as the next person, I think your analogy breaks down pretty critically.

In the case you referenced, it was the role of auditors and regulators to
keep people out / keep people honest, and they failed, and so more people
/ dishonest people got in. However, the speculation about CA collusion
requires the CAs to be working hard to keep new entrants out - the exact
*opposite* behaviour.

Such a conspiracy requires auditors colluding to keep new entrants out. To
be quite frank, I would be surprised if anyone on this list, concerned
about security, would be saddened or upset if they heard horror stories of
WebTrust auditors finding actionable concerns that kept new entrants out -
such as failures to adhere to their policies or unaddressed security
concerns.

At best, it means the market is incentivizing auditors to closely examine
new entrants for best practices. Is that a bad thing and does it really
demonstrate a vast CA conspiracy? Has there ever been a new CA, attempting
to get audited, who has said with a straight face that the audits are
unreasonably thorough? Shouldn't that be the bare minimum for having the
ability to affect trust globally?

So at best, we have FUD and unsubstantiated speculation about auditors
being "too" strict - at the same time that the browsers are working to
make the requirements more strict.




More information about the cryptography mailing list