Many thanks for this very informative post - really appreciated. Some comments, below... On Sat, 5 Jan 2013, Jon Callas wrote:
Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need.
You're the second person in this thread to mention hardware and datacenter costs ... and while I don't want to drift too far into a blood and guts sysadmin rundown, I am curious... Are you talking about the customer facing, retail side of things with the webservers and the load balancers and all of the things that make a "robust web presence" or are you talking strictly the x.509 components ?
Because it seems to me (naive ?) that even a very high volume x.509 signing operation is ... maybe a pair of good 1u servers and a rack at a decent (sas70/pci/blah/blah) datacenter ... ? Ok, a firewall and maybe some IDS system ... but we're still only a handful of 1u boxes and a quarter of a rack...
Perhaps it's this kind of thinking that leads to failed audits :)
There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else.
That's nice to know, and I'm heartened that all the way into 2012 this is still the case, but ... boy oh boy does this look and smell like a marketplace ripe for monopolization and a cartel ... it's almost a classic case.
I think the presence of a major browser that is a community, independent effort is an interesting wrinkle, and the fickleness of the browsing public (how fast did chrome shoot up the charts ? Safari ?) adds a wrinkle too, but ... there's no way the large, entrenched players aren't sitting around thinking "gee we have a nice thing going here..." Not a conspiracy theory, just common sense...
Thanks again for a really thougt-provoking post. _______________________________________________ cryptography mailing list firstname.lastname@example.org http://lists.randombit.net/mailman/listinfo/cryptography