On 22/02/2018 22:17, James Burton wrote:
There needs to be a program that helps security researchers like myself get
free or low cost certificates for research purposes. That EV research I did
a while ago nearly set me back personally $4,297.


I think there are three main cases and an additional concern:

1. Getting real certificates from a real CA referring to real domains.
  Only secure option is to get the research sponsored by that CA,
  perhaps in exchange for giving them a longer than standard heads up of
  any results regarding their security.

2. Getting real certificates for a test/dummy domain.
  Perhaps a weakening rule can be introduced in the BRs (subject o a lot
  of discussions as this will be very controversial and potentially
  dangerous), that certificates for the .invalid TLD can be issued under
  special research terms.  However I doubt the current BR maintainers or
  the leaders of this Mozilla group will agree to that.

3. Getting invalid/test certificates for a real domain to test
   Perhaps some CAs can be talked into setting up a special "test only,
  DO NOT TRUST" root CA running in parallel to their real trusted roots,
  allowing cheap issuance for tests and experiments.  Such a test root
  would not be in the CCADB or any root program, nor be cross-signed by
  any real roots.
   Such a test hierarchy would also be useful for organizations setting
  up and testing automated certificate management systems prior to using
  those systems with real certificates.

Additionally, for the manual step verified EV and OV certificates,
issuance involves real man-hours at the CA organization.  So for such
higher grade certificates, getting them for free or on a 30 days-return
policy would not be a good thing to allow.  Even for testing.
Especially since such research certificates are probably going to
trigger additional manual revocation procedures (= more man-hours to be


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to