[cryptography] How much does it cost to start a root CA ?

Ralph Holz holz at net.in.tum.de
Sat Jan 5 08:05:08 EST 2013


> Is inclusion of a root CA in the major browsers a "shall issue" process
> ? hat is, you meet the criteria and you get in ?  Or is it a subjective,
> political process ?

The process varies between browser vendors, with baseline requirements
established in the CAB Forum. Audits are usually required.

The process for Mozilla is open: there is a one-week time of debate in
the group mozilla.dev.security.policy where everyone can chime in and
help to analyse the inclusion request. Sadly, there are not that many
participants, but that is understandable as the level of detail is high
and understanding a CPS document is very demanding. There are some
veterans, of course.

My impression is that every voice is heard equally, and a summary of
concerns then given at the end of the week. The CA is given a chance to
fix that and can then be included. Rejections are extremely rare, I am
not sure if I have seen even one in the past 3 years. It certainly was
not more.

I am not sure if some participants' opinion is given more weight than
others (it might make sense), or how the resolution of concerns is
handled afterwards.

What I have seen repeatedly is discussion whether a CA operates for the
general public (only those are deemed acceptable) or not. That seems to
be a somewhat subjective criterion.

What I have also seen was post-hoc debate about the inclusion of the
Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the
process: If participants do not have much time, the one-week discussion
period may pass without many comments and a CA thus be included. In the
case of CNNIC, many objections were raised afterwards as this CA had
been allegedly associated with malware in the past; there was also
concern the Chinese government might use it to issue the kind of MITM
certificates we're worried about. No proof of any such activity could be
given, and Mozilla decided that the fair approach was to keep them in.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/f1c3b997/attachment.asc>

More information about the cryptography mailing list