It doesn't take that long for a CAs to do vetting checks for OV and EV
certificates when everything is handed to them on a plate. Breaking CAs
vetting procedures is not too hard.
The key here is that security research shouldn't cost the
researcher thousands to prove a valid point. They should be entitled to
some type of compensation from the CA.
It would be great if CAs ran a program that allowed security researchers to
get compensated after the research instead of before.
On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy <
> On 22/02/2018 22:17, James Burton wrote:
>> There needs to be a program that helps security researchers like myself
>> free or low cost certificates for research purposes. That EV research I
>> a while ago nearly set me back personally $4,297.
> I think there are three main cases and an additional concern:
> 1. Getting real certificates from a real CA referring to real domains.
> Only secure option is to get the research sponsored by that CA,
> perhaps in exchange for giving them a longer than standard heads up of
> any results regarding their security.
> 2. Getting real certificates for a test/dummy domain.
> Perhaps a weakening rule can be introduced in the BRs (subject o a lot
> of discussions as this will be very controversial and potentially
> dangerous), that certificates for the .invalid TLD can be issued under
> special research terms. However I doubt the current BR maintainers or
> the leaders of this Mozilla group will agree to that.
> 3. Getting invalid/test certificates for a real domain to test
> Perhaps some CAs can be talked into setting up a special "test only,
> DO NOT TRUST" root CA running in parallel to their real trusted roots,
> allowing cheap issuance for tests and experiments. Such a test root
> would not be in the CCADB or any root program, nor be cross-signed by
> any real roots.
> Such a test hierarchy would also be useful for organizations setting
> up and testing automated certificate management systems prior to using
> those systems with real certificates.
> Additionally, for the manual step verified EV and OV certificates,
> issuance involves real man-hours at the CA organization. So for such
> higher grade certificates, getting them for free or on a 30 days-return
> policy would not be a good thing to allow. Even for testing.
> Especially since such research certificates are probably going to
> trigger additional manual revocation procedures (= more man-hours to be
> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> dev-security-policy mailing list
dev-security-policy mailing list