On Fri, January 4, 2013 12:59 pm, Greg Rose wrote: > You could ask the folks at CAcert... I imagine Ian Grigg will also chime > in. Certification costs a lot, and as you have observed, the incumbents > try very hard to keep you out. Despite some reasonable sources of funding, > CAcert still didn't succeed. > > Greg.
Can you explain how, exactly, incumbents leverage any power to keep new entrants out? The policies are set by the browsers/root store operators - not CAs. Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx Apple - http://www.apple.com/certificateauthority/ca_program.html Mozilla - http://www.mozilla.org/projects/security/certs/policy/ Opera - http://www.opera.com/docs/ca/ Consistent among them is that they require a WebTrust or ETSI audit - audits which were designed to reflect the collective shared policies of the browsers. Not collective action by CAs. More recently, the browsers have begun to increase the minimum requirements they expect of their root store participants, in light of several prominent failures. These are memorialized in the CA/Browser Forum's Baseline Requirements ( https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were driven by browsers seeking to find a consistent, common agreement about the requirements of their members. CACert's failures have nothing to do with the actions of any incumbent CA, but through an inability so far to meet the requirements set forth by the browser programs they were seeking to be included in. Even Ian has attested that Mozilla's policy is both clear and fair in this regard. Additionally, there are not, as the original poster suggested, only 30 root CAs. This can be trivially discovered by examining the lists of CAs included in these programs - which are all public. Mozilla - http://www.mozilla.org/projects/security/certs/included/ Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx Apple - http://opensource.apple.com/source/security_certificates/security_certificates-55024.2/ (OS X 10.8.2) Opera - http://my.opera.com/rootstore/blog/ A lot of speculation on this thread, but the answers are readily and trivially available. Cheers, Ryan > > On 2013 Jan 4, at 11:41 , John Case wrote: > > > > > Let's assume hardware is zero ... it's a really variable cost, so I > > assume (correct me if I'm wrong) that it is a trivial cost compared to > > legal and audit costs, etc. > > > > So what does it cost to start a root CA, get properly audited (as I see > > the root CAs are) and get yourself included into, say, firefox or chrome > > ? > > > > A followup question would be: > > > > Is inclusion of a root CA in the major browsers a "shall issue" process > > ? hat is, you meet the criteria and you get in ? Or is it a subjective, > > political process ? > > > > Finally, it seems to me that since there re so few root CAs (~30 ?) and > > the service provided is such an arbitrary, misunderstood one, that > > existing CAs would be actively trying to prevent new entrants ... and > > establish themsevles as toll collectors with a pseudo monopoly ... what > > evidence (if any) do we have that they are pursuing such an ecosystem ? > > > > Thank you. > > _______________________________________________ > > cryptography mailing list > > cryptography@randombit.net > > http://lists.randombit.net/mailman/listinfo/cryptography > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
