[cryptography] How much does it cost to start a root CA ?

Jon Callas jon at callas.org
Sat Jan 5 14:42:31 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm really glad you asked this question. It gives me to tell a story I've wanted to tell for some time. I know the answer to your question because I've done it.

Some years ago, PGP Corporation toyed off and on with the idea of becoming a CA. We looked at ways to get there through the side door, like buying the assets of some company that was going out of business, and managed to be too little, too late.

So after a lot of dithering, we started a project to create a CA from scratch. I led the project and it had a budget of US$250K. I code-named the project Casablanca. Partially because Casablanca begins and ends with a CA, but mostly because I really like the phrase, "I am shocked, shocked that PGP is issuing X.509 certificates." 

The process for setting up a CA is straightforward and exacting. You have to have physical and logical controls on things, dual-authentication and separation of duties on just about everything, but it's straightforward. You have to write a lot of documents, create a lot of procedures, and have all of that audited. You have to get audited regularly and often as you start out, and then the audits taper off after you show that you're running a tight ship. 

The main thing you're looking to do is to pass the WebTrust audit and associated practices that the platforms will require you to do. Microsoft has the most mature process. They have a set of rules and guidelines. If you follow them, you're in. One of those, by the way, is that you have to be a retail CA, as opposed to an internal one or a government one. It's best to work with Microsoft first, and once you're in their root program move to the others. They are fair, disciplined, and helpful. Most of all, once you've gone through all that, it's easier to get into the other important root stores.

If you go into this business with the attitude that you're doing a job that protects the Internet at large, defends the public trust, and so on, then you'll find the requirements completely reasonable and easy to do. 

Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need.

The costs got split out to about 40% hardware, etc. and 60% people. It does not include the people costs of the internal PGP personnel who worked on it. I raided part time help from around the company. It took about fourteen months from start to end.

PGP bought an existing company, TrustCenter. TrustCenter was the remaining end of GeoTrust (spun out Equifax) that Verisign did not buy. The plan was that the PGP-branded Casablanca roots would be put into the TrustCenter machinery and datacenters, and then you have a major CA. That got interrupted by Symantec buying PGP and then buying Verisign. Casablanca is now rolled up into their Norton CA business along with Verisign and Thawte, GeoTrust, etc.

There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else.

Furthermore, there are lots of overblown rumors about the CA/Browser Forum. You don't have to be a Forum member to be a CA. If you plan to issue EV certificates, you have to follow the EV guidelines which are produced by the CA/Browser Forum, but that is because the platforms won't put your EV root in their stores unless you do. You don't have to be a member of the Forum to be a CA. As a matter of fact, there are a large number of CAs that are not members.

The situation is similar to Internet protocols and the IETF. If you want to make routers, you don't have to be a member of the IETF. You *will* have to follow IETF documents, but you don't have to participate. Obviously, there are advantages in participating, but there are also costs.

I was involved in the CA/Browser Forum for a few years, first with Apple (on the browser end) and then with Entrust (on the CA end). I heard the stories about how it's a cartel, etc. At PGP, we had no plans to be members because we had no interest in being part of a cartel. It was a huge disappointment to be there and find out that it isn't a cartel at all, it's a volunteer organization that handles lots of the rough edges of web PKI with the same combination of spurts of efficiency and spurts of fecklessness that you find in just about any organization that tries to get a bunch of organizations with different goals to work together.

Presently, the Forum is reorganizing itself for greater transparency and participation, which is not going as well as it could, despite lots of good ideas. But this is the way of all volunteer organizations, which often merely shuffle around the dumb things and smart things they do -- in correcting a dumb thing, they correct a smart one, too. There are many things one can criticize the Forum for, but it's not the usual things you hear. If you're starting a CA, you can deal with the Forum as you think it benefits you most.

The long pole in the tent of setting up a CA is getting your roots in all the platforms you need. It's much easier now than it has been in years past, but that's the annoying part because every platform has their own rules. As I said, start with Microsoft. These days, cross-certification is much harder than it was. In the wake of the last few years, most CAs are not interested in cross-certifying any more.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFQ6IImsTedWZOD3gYRAoUfAKDaIbRMkcJ/BsBsBvsL2juv8Ip88ACgu3zx
9d+6LZUy2RMSiB8hfn44EHA=
=G5aJ
-----END PGP SIGNATURE-----



More information about the cryptography mailing list