On 22/02/2018 23:27, James Burton wrote:
It doesn't take that long for a CAs to do vetting checks for OV and EV
certificates when everything is handed to them on a plate. Breaking CAs
vetting procedures is not too hard.

In principle, the vetting procedures is what customers pay for and
relying parties depend on.  The automated certificate signing and
revocation systems are operational security critical infrastructure, but
logically secondary to the vetting.

The key here is that security research shouldn't cost the
researcher thousands to prove a valid point. They should be entitled to
some type of compensation from the CA.
It would be great if CAs ran a program that allowed security researchers to
get compensated after the research instead of before.

That would be my option 2 below: Getting the tested CA to sponsor the

My option 3 below, if combined with the real vetting processes of that
CA, would be another way to handle research probing (with no risk of
being accused of causing actual dangers), provided the CA can be trusted
not to do things correctly and more securely for the test certificates,
but wrong/insecurely for the real certificates.


On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

On 22/02/2018 22:17, James Burton wrote:

There needs to be a program that helps security researchers like myself
free or low cost certificates for research purposes. That EV research I
a while ago nearly set me back personally $4,297.


I think there are three main cases and an additional concern:

1. Getting real certificates from a real CA referring to real domains.
   Only secure option is to get the research sponsored by that CA,
   perhaps in exchange for giving them a longer than standard heads up of
   any results regarding their security.

2. Getting real certificates for a test/dummy domain.
   Perhaps a weakening rule can be introduced in the BRs (subject o a lot
   of discussions as this will be very controversial and potentially
   dangerous), that certificates for the .invalid TLD can be issued under
   special research terms.  However I doubt the current BR maintainers or
   the leaders of this Mozilla group will agree to that.

3. Getting invalid/test certificates for a real domain to test
    Perhaps some CAs can be talked into setting up a special "test only,
   DO NOT TRUST" root CA running in parallel to their real trusted roots,
   allowing cheap issuance for tests and experiments.  Such a test root
   would not be in the CCADB or any root program, nor be cross-signed by
   any real roots.
    Such a test hierarchy would also be useful for organizations setting
   up and testing automated certificate management systems prior to using
   those systems with real certificates.

Additionally, for the manual step verified EV and OV certificates,
issuance involves real man-hours at the CA organization.  So for such
higher grade certificates, getting them for free or on a 30 days-return
policy would not be a good thing to allow.  Even for testing.
Especially since such research certificates are probably going to
trigger additional manual revocation procedures (= more man-hours to be


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to