[cryptography] How much does it cost to start a root CA ?

Ryan Hurst ryan.hurst at globalsign.com
Sat Jan 5 14:12:06 EST 2013

Before joining Globalsign a year ago I was an observer to what was going on in the CA industry.

Personally I saw (and still do see) value in the services that a CA offers and believe that for the large majority of users on the Internet there is value in knowing who is behind domain name.

I also felt that given the reality of where we are with technology and how long it takes for new technology to be deployed on a global scale CA's will be around for quite some.

I saw all of this an opportunity to try to change things for the better built a model and associated business plan for creating another CA.

That exercise showed that to build an operational data center with sufficient scale, security, computing power, and security would cost around 1.5 million dollars. That with this expenditure under your belt that you would need to wait four years before you had a viable product offering and were able to compete.

You would then either need to eat the operational costs for four years which would run a around three quarters of a million each year or diversify your business and invest into other product areas to offset those costs.

You could shortcut this waiting by finding somebody who is already trusted and cross certifying with them but no CA's were no considering such propositions.

As such I would argue the cost of entering this industry as a certificate authority that serves the Internet at large is approximately US $5 million and 4 years.

Ryan Hurst

Sent from my phone, please forgive the brevity.

On Jan 5, 2013, at 7:02 AM, ianG <iang at iang.org> wrote:

> On 5/01/13 04:44 AM, Peter Gutmann wrote:
>> John Case <case at SDF.ORG> writes:
>>> So what does it cost to start a root CA, get properly audited (as I see the
>>> root CAs are) and get yourself included into, say, firefox or chrome ?
>> The rule of thumb I've seen from various inside sources is about $1M [0].
> Nod.  From the audit perspective alone, the rule of thumb we worked with was minimum $0.25M for the audits alone.  That didn't include the work the CA did, just the fees to the auditors.  From there, it isn't a stretch to reach Peter's number above for the total cost.
> iang
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2098 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130105/27dec0ef/attachment.p7s>

More information about the cryptography mailing list