[cryptography] How much does it cost to start a root CA ?

John Case case at SDF.ORG
Sun Jan 6 01:10:53 EST 2013


Many thanks for this very informative post - really appreciated.

Some comments, below...

On Sat, 5 Jan 2013, Jon Callas wrote:

> Now that $250K that I spent got an offline root CA and an intermediate 
> online CA. The intermediate was not capable of supporting workloads that 
> would make you a major business. You need a data center after that, that 
> supports the workloads that your business requires. But of course, you 
> can grow that with your customer workload, and you can buy the 
> datacenter space you need.

You're the second person in this thread to mention hardware and datacenter 
costs ... and while I don't want to drift too far into a blood and guts 
sysadmin rundown, I am curious...  Are you talking about the customer 
facing, retail side of things with the webservers and the load balancers 
and all of the things that make a "robust web presence" or are you talking 
strictly the x.509 components ?

Because it seems to me (naive ?) that even a very high volume x.509 
signing operation is ... maybe a pair of good 1u servers and a rack at a 
decent (sas70/pci/blah/blah) datacenter ... ?  Ok, a firewall and maybe 
some IDS system ... but we're still only a handful of 1u boxes and a 
quarter of a rack...

Perhaps it's this kind of thinking that leads to failed audits :)

> There are rumors, which you've read here about how there are lots of 
> underhanded obstacles in the way of becoming a CA. My experience is that 
> the only underhanded part of the industry is that no one in it dispels 
> the rumors that there are underhanded obstacles in your path. This is 
> pretty much the first time I have, so I suppose I'm as guilty as anyone 
> else.

That's nice to know, and I'm heartened that all the way into 2012 this is 
still the case, but ... boy oh boy does this look and smell like a 
marketplace ripe for monopolization and a cartel ... it's almost a classic 

I think the presence of a major browser that is a community, independent 
effort is an interesting wrinkle, and the fickleness of the browsing 
public (how fast did chrome shoot up the charts ?  Safari ?) adds a 
wrinkle too, but ... there's no way the large, entrenched players aren't 
sitting around thinking "gee we have a nice thing going here..."  Not a 
conspiracy theory, just common sense...

Thanks again for a really thougt-provoking post.

More information about the cryptography mailing list