[cryptography] How much does it cost to start a root CA ?
iang at iang.org
Sat Jan 5 09:51:23 EST 2013
On 5/01/13 01:05 AM, Ryan Sleevi wrote:
> On Fri, January 4, 2013 12:59 pm, Greg Rose wrote:
>> You could ask the folks at CAcert... I imagine Ian Grigg will also chime
>> in. Certification costs a lot, and as you have observed, the incumbents
>> try very hard to keep you out. Despite some reasonable sources of funding,
>> CAcert still didn't succeed.
> Can you explain how, exactly, incumbents leverage any power to keep new
> entrants out?
Ref OP's last para, bottom, and pgut's more detailed explanation. The
technical term in economics art is "barriers to entry." C.f., Micheal
Porter's 5 forces, for those who really want references, and aren't just
throwing the speculation mud around.
> The policies are set by the browsers/root store operators - not CAs.
> Microsoft -
> Apple - http://www.apple.com/certificateauthority/ca_program.html
> Mozilla - http://www.mozilla.org/projects/security/certs/policy/
> Opera - http://www.opera.com/docs/ca/
Who wrote the policies?
Answer -- the vendors in consultation with the CAs. Fuller answer -
observe that the vendors have little understanding of the industry, so
they naturally lean on the participants to come up with a "best
practice." This process migrates naturally to the original incumbents
raising the barriers.
> Consistent among them is that they require a WebTrust or ETSI audit -
> audits which were designed to reflect the collective shared policies of
> the browsers. Not collective action by CAs.
Who promotes the audits?
Short answer: The CAs who have them.
Longer answer -- although the vendors agree with the audit process, very
few of them can pin down how they help the user or the vendor. It's a
regulation in place, not one that necessarily helps or proves anything.
As a matter of my experience, the audits and auditors generally turn a
blind eye to user interests, and generally concentrate on those things
that the CAs think is important to them. Vendors however haven't the
experience of the CAs nor the understanding of audit to see that. But
they are content because they have acheived a compliance objective.
Auditors don't care as long as they are respected and they get paid
their fees. Everyone's happy.
So what is the real question? This is mine: does the audit do anything
positive for the users? My answer - no.
> More recently, the browsers have begun to increase the minimum
> requirements they expect of their root store participants, in light of
> several prominent failures. These are memorialized in the CA/Browser
> Forum's Baseline Requirements (
> https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were
> driven by browsers seeking to find a consistent, common agreement about
> the requirements of their members.
Yes. Barriers to entry, reading from the prayer book.
> CACert's failures have nothing to do with the actions of any incumbent CA,
> but through an inability so far to meet the requirements set forth by the
> browser programs they were seeking to be included in.
That's mostly true but not entirely. When CAcert attempted to get into
Mozilla, Mozilla didn't have a policy. Opera charged a flat rate for
any CA to get in, no questions asked (more or less). Microsoft didn't
have a policy but a secret legal process. Konqueror did whatever
Mozilla did. WebTrust was optional, and easy.
The supporters of CAs were amongst those who delayed CAcert in. The
obvious question was raised "what's your policy?" It is impossible to
separate out the CAs and the useful idiots in this respect, but the fact
is that "before" it was trivial, more or less just small amounts of
money. After it was expensive and difficult.
And: few CAs that were in before were re-verified.
Further, Mozilla's publication of an open, formally prepared and thought
out policy (to which I contributed) did cause a wave of consolidation
such that now, we're drowning in policies & audits.
The part that is true is that CAcert was not really at that time in a
position to meet a proper reading of WebTrust. However, neither were
many other CAs, including the ones with WebTrust :) CAcert wouldn't
have met the needs of the first audit criteria, nor the first auditor.
It took around 3 years for CAcert to meet its first audit criteria.
But, no other CA will meet those needs now, either. They will all fail
the audit criteria that CAcert used.
> Even Ian has
> attested that Mozilla's policy is both clear and fair in this regard.
:) Mozilla's policies are fairly clear; but/and I had a hand in
writing them. Indeed, before I took on the CAcert role, which is ironic.
Fair. What is fair? That's a rabbit hole, don't go down it.
I will however say that it is my opinion that the policies do not meet
the needs of users. At all, in any way shape or form.
> Additionally, there are not,
> A lot of speculation on this thread, but the answers are readily and
> trivially available.
As one poster wrote recently, "you have failed to prove your points."
(Meaning, I.) Heavy implication - you have to prove your points or
This implication is wrong. As we all know, some things are not
provable. More specifically, it is not provable because the evidence
cannot be presented.
Therefore, this leads to an obvious attack - keep all evidence secret,
then tell everyone who criticises the system that they have to prove
their points. Knowing that they cannot bring the evidence. Therefore
they are wrong.
This is the attack that the CA industry uses and has always used (that's
my opinion, but I can present some evidence). Although the policies are
somewhat clear now across vendors - it wasn't always so and it was only
that concerted effort at Mozilla that led to the openness of the policies.
And, only policies.
E.g., the only place where there are open deliberations is Mozilla.
And, little known secret - not all the deliberations in Mozilla are
open, some are secret. Guess which parts... None of the deliberations
of the other vendors are open. Indeed, to enter into any discussions
with some vendors they may you sign quite serious NDAs first off. Even
your own presentations are secret.
Until Mozilla, everything about the industry was secret. After
Mozilla's policy, some things got opened up, but only around 10% across
the industry. And only around 30% at Mozilla. It's still a secret
industry. Only 6 months ago did CABForum - a totally secret
organisation - agree to open up. And only then, when the insiders were
able to craft a facade.
In that environment, the onus is on the CAs to prove they are doing the
right thing. And that they cannot do - because they keep it secret.
>>> Finally, it seems to me that since there re so few root CAs (~30 ?) and
>>> the service provided is such an arbitrary, misunderstood one, that
>>> existing CAs would be actively trying to prevent new entrants ... and
>>> establish themsevles as toll collectors with a pseudo monopoly ... what
>>> evidence (if any) do we have that they are pursuing such an ecosystem ?
More information about the cryptography