On 22/02/2018 22:17, James Burton wrote:
There needs to be a program that helps security researchers like myself get
free or low cost certificates for research purposes. That EV research I did
a while ago nearly set me back personally $4,297.
I think there are three main cases and an additional concern:
1. Getting real certificates from a real CA referring to real domains.
Only secure option is to get the research sponsored by that CA,
perhaps in exchange for giving them a longer than standard heads up of
any results regarding their security.
2. Getting real certificates for a test/dummy domain.
Perhaps a weakening rule can be introduced in the BRs (subject o a lot
of discussions as this will be very controversial and potentially
dangerous), that certificates for the .invalid TLD can be issued under
special research terms. However I doubt the current BR maintainers or
the leaders of this Mozilla group will agree to that.
3. Getting invalid/test certificates for a real domain to test
Perhaps some CAs can be talked into setting up a special "test only,
DO NOT TRUST" root CA running in parallel to their real trusted roots,
allowing cheap issuance for tests and experiments. Such a test root
would not be in the CCADB or any root program, nor be cross-signed by
any real roots.
Such a test hierarchy would also be useful for organizations setting
up and testing automated certificate management systems prior to using
those systems with real certificates.
Additionally, for the manual step verified EV and OV certificates,
issuance involves real man-hours at the CA organization. So for such
higher grade certificates, getting them for free or on a 30 days-return
policy would not be a good thing to allow. Even for testing.
Especially since such research certificates are probably going to
trigger additional manual revocation procedures (= more man-hours to be
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list