It doesn't take that long for a CAs to do vetting checks for OV and EV
certificates when everything is handed to them on a plate. Breaking CAs
vetting procedures is not too hard.

The key here is that security research shouldn't cost the
researcher thousands to prove a valid point. They should be entitled to
some type of compensation from the CA.
It would be great if CAs ran a program that allowed security researchers to
get compensated after the research instead of before.


On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy <> wrote:

> On 22/02/2018 22:17, James Burton wrote:
>> There needs to be a program that helps security researchers like myself
>> get
>> free or low cost certificates for research purposes. That EV research I
>> did
>> a while ago nearly set me back personally $4,297.
>> James
> I think there are three main cases and an additional concern:
> 1. Getting real certificates from a real CA referring to real domains.
>   Only secure option is to get the research sponsored by that CA,
>   perhaps in exchange for giving them a longer than standard heads up of
>   any results regarding their security.
> 2. Getting real certificates for a test/dummy domain.
>   Perhaps a weakening rule can be introduced in the BRs (subject o a lot
>   of discussions as this will be very controversial and potentially
>   dangerous), that certificates for the .invalid TLD can be issued under
>   special research terms.  However I doubt the current BR maintainers or
>   the leaders of this Mozilla group will agree to that.
> 3. Getting invalid/test certificates for a real domain to test
>   procedures.
>    Perhaps some CAs can be talked into setting up a special "test only,
>   DO NOT TRUST" root CA running in parallel to their real trusted roots,
>   allowing cheap issuance for tests and experiments.  Such a test root
>   would not be in the CCADB or any root program, nor be cross-signed by
>   any real roots.
>    Such a test hierarchy would also be useful for organizations setting
>   up and testing automated certificate management systems prior to using
>   those systems with real certificates.
> Additionally, for the manual step verified EV and OV certificates,
> issuance involves real man-hours at the CA organization.  So for such
> higher grade certificates, getting them for free or on a 30 days-return
> policy would not be a good thing to allow.  Even for testing.
> Especially since such research certificates are probably going to
> trigger additional manual revocation procedures (= more man-hours to be
> paid).
> Enjoy
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> _______________________________________________
> dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to