<[email protected]> writes: >mmm i don't think it's the correct amount. As long as i know, obtaining a >report (and relative seals) for Baseline v.2.0 and SSL criteria 2.0 should >cost you around 100K dollars. Obviously not considering the money needed to >fill any eventually emerged gaps from the standards (i.e. buying HSMs). If i >didn't understand you, please correct me.
That's like saying that getting a safety-code compliance certificate for a building will cost you $5,000 and take about a day. That may be the cost of getting the piece of paper, but the remedial work required to get to that point could be half a million dollars and take a year of effort. It's the same with getting to the point of getting the paperwork to get into the root stores, the rule-of-thumb figure I've heard thrown around is $1M and a year's work: As a rule of thumb to help you estimate the amount of legal and procedural work involved, for a CA providing general services to the public (either directly or indirectly, for example as part of a government department or one providing services for multiple different parties outside your direct control rather than being purely a non-public or in-house CA), expect to spend about a million dollars (or euros, or pounds, or zorkmids, the figure of âone millionâ is rather consistent across currencies) on legal and business issues including due diligence, preparing the certificate practice statement (CPS), and being audited to ensure that youâve got it right. As one set of PKI guidelines puts it, âgiven that the principal product sold by a CA is âtrustâ there is a critical requirement to be able to demonstrate a thorough understanding of the security threats faced by a CAâ [ ]. If you ask your lawyers about this theyâll tell you that the best way to limit your liability is to get everyone involved to agree that they wonât use your certificates for anything, and then the business people need to negotiate back what they can actually be used for, as little as possible if the lawyers can help it. For a CA of this kind you should expect the legal side of things to occupy two technical people (to educate the lawyers) and four to six lawyers full- time for around six months, and then budget another six months to clear the paperwork and wait for all the approvals to go through. If someone tells you that they can set up your PKI for a lot less than this when your certificate practice statement is anything more complex than âYou canât use these certificates for any purpose and we accept no liability for anythingâ then this should ring alarm bells (although some CAs claim to provide liability cover, this is structured in such a way that the CA never has to pay out under any conceivable real-world scenario, with one CA admitting that their liability cover is âreally there just to reassure you that itâs a true 128-bit certificate, and to make you feel better about purchasing itâ [ ]). The details of the requirements for a PKI of this scope are far too complex to even begin to address here except to warn that itâs a big one. If youâre looking for a starting point for this then chances are that your national government or other governing body (for example a banking standards body or regulator if youâre a bank) will have some sort of PKI guidelines that you can use. Peter.
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
