Re: [cryptography] How much does it cost to start a root CA ?

[ianG]

On 6/01/13 09:48 AM, Ryan Sleevi wrote:


  Perhaps it's this kind of thinking that leads to failed audits :)


It will, it does, and the information is readily available from the
previous post.

https://www.cabforum.org/Baseline_Requirements_V1_1.pdf Sections 14
through 16

Additionally, https://www.cabforum.org/Network_Security_Controls_V1.pdf
describes a series of controls jointly developed by the browsers and CAs.



Ryan, that's not true.  I know it is easy to market the organsation as 
being open and friendly, but some of us weren't born last night.


I think the truth is that it was developed by CABForum participants.  In 
private.  Right?  And then announced it to the world here:


   12 - June -2012  -- Today, the CA/Browser Forum released a
   draft Network and Certificate System Security Requirements
   for public review, comment, and discussion.  Comments may be
   submitted through Friday, 22 June 2012

https://cabforum.org/pipermail/public/2012-June/000114.html

Right?  Truth is important, right?  So faith in the product has a 
foundation?


CABForum participants are on record on that date to push a new 
unreleased standard onto the world through Mozilla's public theater with:


  10 days of public comment?

Right?

For the record:   when was that document first worked on in CABForum?



iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Natanael]

Bitcoin based DNS? That would be Namecoin. I am unsure if it also manages
SSL or similiar link encryption or if that is a separate thing for the
scheme.
Den 6 jan 2013 08:27 skrev James A. Donald jam...@echeque.com:

 On 2013-01-05 12:07 PM, Morlock Elloi wrote:

 Correct. The cost of being CA is equal to the cost of getting CA signing
 pub key into the target audience browsers.

 You can (sorted by increasing security, starting with zero):

 1 - go through browser vendors,
 2 - have your users to install additional CA key into their existing
 browsers (and perhaps remove others), or
 3 - distribute your own browser package.

 Pick one.


 Most of the browsers are open source.  A fork could be justified by adding
 privacy value or security value, as, for example, SRWare Iron or the Tor
 browser.

 This also applies pressure on the major browsers to refrain from too
 flagrantly violating their customer's privacy.

 Perhaps we need a browser that facilitates communication and interaction
 between the holder of one bitcoin key and the holder of another.
 __**_
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Ralph Holz]

Hi,

 Is inclusion of a root CA in the major browsers a shall issue process
 ? hat is, you meet the criteria and you get in ?  Or is it a subjective,
 political process ?

The process varies between browser vendors, with baseline requirements
established in the CAB Forum. Audits are usually required.

The process for Mozilla is open: there is a one-week time of debate in
the group mozilla.dev.security.policy where everyone can chime in and
help to analyse the inclusion request. Sadly, there are not that many
participants, but that is understandable as the level of detail is high
and understanding a CPS document is very demanding. There are some
veterans, of course.

My impression is that every voice is heard equally, and a summary of
concerns then given at the end of the week. The CA is given a chance to
fix that and can then be included. Rejections are extremely rare, I am
not sure if I have seen even one in the past 3 years. It certainly was
not more.

I am not sure if some participants' opinion is given more weight than
others (it might make sense), or how the resolution of concerns is
handled afterwards.

What I have seen repeatedly is discussion whether a CA operates for the
general public (only those are deemed acceptable) or not. That seems to
be a somewhat subjective criterion.

What I have also seen was post-hoc debate about the inclusion of the
Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the
process: If participants do not have much time, the one-week discussion
period may pass without many comments and a CA thus be included. In the
case of CNNIC, many objections were raised afterwards as this CA had
been allegedly associated with malware in the past; there was also
concern the Chinese government might use it to issue the kind of MITM
certificates we're worried about. No proof of any such activity could be
given, and Mozilla decided that the fair approach was to keep them in.

Ralph



signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Jeffrey Walton]

On Sat, Jan 5, 2013 at 8:05 AM, Ralph Holz h...@net.in.tum.de wrote:
 Hi,

 ...

 What I have also seen was post-hoc debate about the inclusion of the
 Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the
 process: If participants do not have much time, the one-week discussion
 period may pass without many comments and a CA thus be included. In the
 case of CNNIC, many objections were raised afterwards as this CA had
 been allegedly associated with malware in the past; there was also
 concern the Chinese government might use it to issue the kind of MITM
 certificates we're worried about. No proof of any such activity could be
 given, and Mozilla decided that the fair approach was to keep them in.
I mark those certificates as untrusted. I was born at night, but not last night.

Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[ianG]

On 5/01/13 01:05 AM, Ryan Sleevi wrote:

On Fri, January 4, 2013 12:59 pm, Greg Rose wrote:

  You could ask the folks at CAcert... I imagine Ian Grigg will also chime
  in. Certification costs a lot, and as you have observed, the incumbents
  try very hard to keep you out. Despite some reasonable sources of funding,
  CAcert still didn't succeed.

  Greg.


Can you explain how, exactly, incumbents leverage any power to keep new
entrants out?


Ref OP's last para, bottom, and pgut's more detailed explanation.  The 
technical term in economics art is barriers to entry.  C.f., Micheal 
Porter's 5 forces, for those who really want references, and aren't just 
throwing the speculation mud around.




The policies are set by the browsers/root store operators - not CAs.

Microsoft -
http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx
Apple - http://www.apple.com/certificateauthority/ca_program.html
Mozilla - http://www.mozilla.org/projects/security/certs/policy/
Opera - http://www.opera.com/docs/ca/



Who wrote the policies?

Answer -- the vendors in consultation with the CAs.  Fuller answer - 
observe that the vendors have little understanding of the industry, so 
they naturally lean on the participants to come up with a best 
practice.  This process migrates naturally to the original incumbents 
raising the barriers.



Consistent among them is that they require a WebTrust or ETSI audit -
audits which were designed to reflect the collective shared policies of
the browsers. Not collective action by CAs.



Who promotes the audits?

Short answer:  The CAs who have them.

Longer answer -- although the vendors agree with the audit process, very 
few of them can pin down how they help the user or the vendor.  It's a 
regulation in place, not one that necessarily helps or proves anything. 
 As a matter of my experience, the audits and auditors generally turn a 
blind eye to user interests, and generally concentrate on those things 
that the CAs think is important to them.  Vendors however haven't the 
experience of the CAs nor the understanding of audit to see that.  But 
they are content because they have acheived a compliance objective. 
Auditors don't care as long as they are respected and they get paid 
their fees.  Everyone's happy.


So what is the real question?  This is mine:  does the audit do anything 
positive for the users?  My answer - no.




More recently, the browsers have begun to increase the minimum
requirements they expect of their root store participants, in light of
several prominent failures. These are memorialized in the CA/Browser
Forum's Baseline Requirements (
https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were
driven by browsers seeking to find a consistent, common agreement about
the requirements of their members.


Yes.  Barriers to entry, reading from the prayer book.


CACert's failures have nothing to do with the actions of any incumbent CA,
but through an inability so far to meet the requirements set forth by the
browser programs they were seeking to be included in.


That's mostly true but not entirely.  When CAcert attempted to get into 
Mozilla, Mozilla didn't have a policy.  Opera charged a flat rate for 
any CA to get in, no questions asked (more or less).  Microsoft didn't 
have a policy but a secret legal process.  Konqueror did whatever 
Mozilla did.  WebTrust was optional, and easy.


The supporters of CAs were amongst those who delayed CAcert in.  The 
obvious question was raised what's your policy?  It is impossible to 
separate out the CAs and the useful idiots in this respect, but the fact 
is that before it was trivial, more or less just small amounts of 
money.  After it was expensive and difficult.


And:  few CAs that were in before were re-verified.

Further, Mozilla's publication of an open, formally prepared and thought 
out policy (to which I contributed) did cause a wave of consolidation 
such that now, we're drowning in policies  audits.


The part that is true is that CAcert was not really at that time in a 
position to meet a proper reading of WebTrust.  However, neither were 
many other CAs, including the ones with WebTrust :)  CAcert wouldn't 
have met the needs of the first audit criteria, nor the first auditor.


It took around 3 years for CAcert to meet its first audit criteria. 
But, no other CA will meet those needs now, either.  They will all fail 
the audit criteria that CAcert used.




Even Ian has
attested that Mozilla's policy is both clear and fair in this regard.



:)  Mozilla's policies are fairly clear;  but/and I had a hand in 
writing them.  Indeed, before I took on the CAcert role, which is ironic.


Fair.  What is fair?  That's a rabbit hole, don't go down it.

I will however say that it is my opinion that the policies do not meet 
the needs of users.  At all, in any way shape or form.



Additionally, there are not,


whatever.


A lot of 

Re: [cryptography] How much does it cost to start a root CA ?

[ianG]

On 5/01/13 00:01 AM, yersinia wrote:

On Fri, Jan 4, 2013 at 8:41 PM, John Case c...@sdf.org wrote:



Many today say that there are too many root CA, not a few. Is not it?
https://www.eff.org/observatory.

have i missing something ?


Yes - the number of CAs is not so relevant to the question.  Don't get 
distracted.


What OP introduced was an economic theory that says that incumbents seek 
to group together, create cartels and raise barriers to entry.


This indeed is what has happened, and the name of the cartel is 
CABForum.  It's a bit more complicated than the straight theory has it, 
as for example it was open for any CA to apply to join.  And it is a 
cartel across 3 sectors:  CAs, auditors, vendors.  If you know your 
cartel theory, look at De Beers.


Sadly, of course, there are far too few economists and business people 
in the area of cryptography and PKI, so talking about the economic 
theory of cartels and so forth is wasted.  The normal response will be 
for the supporters to chime in, shout the economists down, insist they 
prove their points, and drown out the dissent.


It's worked up until recently :)  Unfortunately in 2011, the wheels came 
off and the number of CA embarrassments sky-rocketed.  Something wasn't 
right ... and the debate has been on.


CABForum responded by tightening the wheel nuts, which is exactly what 
the theory of cartels expects:  Do what we are doing, but do it much 
better and more expensively.  Show everyone!  But don't change the rules 
that keep us in business.




iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Ryan Hurst]

Before joining Globalsign a year ago I was an observer to what was going on in 
the CA industry.

Personally I saw (and still do see) value in the services that a CA offers and 
believe that for the large majority of users on the Internet there is value in 
knowing who is behind domain name.

I also felt that given the reality of where we are with technology and how long 
it takes for new technology to be deployed on a global scale CA's will be 
around for quite some.

I saw all of this an opportunity to try to change things for the better built a 
model and associated business plan for creating another CA.

That exercise showed that to build an operational data center with sufficient 
scale, security, computing power, and security would cost around 1.5 million 
dollars. That with this expenditure under your belt that you would need to wait 
four years before you had a viable product offering and were able to compete.

You would then either need to eat the operational costs for four years which 
would run a around three quarters of a million each year or diversify your 
business and invest into other product areas to offset those costs.

You could shortcut this waiting by finding somebody who is already trusted and 
cross certifying with them but no CA's were no considering such propositions.

As such I would argue the cost of entering this industry as a certificate 
authority that serves the Internet at large is approximately US $5 million and 
4 years.

Ryan Hurst


Sent from my phone, please forgive the brevity.

On Jan 5, 2013, at 7:02 AM, ianG i...@iang.org wrote:

 On 5/01/13 04:44 AM, Peter Gutmann wrote:
 John Case c...@sdf.org writes:
 
 So what does it cost to start a root CA, get properly audited (as I see the
 root CAs are) and get yourself included into, say, firefox or chrome ?
 
 The rule of thumb I've seen from various inside sources is about $1M [0].
 
 Nod.  From the audit perspective alone, the rule of thumb we worked with was 
 minimum $0.25M for the audits alone.  That didn't include the work the CA 
 did, just the fees to the auditors.  From there, it isn't a stretch to reach 
 Peter's number above for the total cost.
 
 iang
 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography


smime.p7s
Description: S/MIME cryptographic signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Jon Callas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm really glad you asked this question. It gives me to tell a story I've 
wanted to tell for some time. I know the answer to your question because I've 
done it.

Some years ago, PGP Corporation toyed off and on with the idea of becoming a 
CA. We looked at ways to get there through the side door, like buying the 
assets of some company that was going out of business, and managed to be too 
little, too late.

So after a lot of dithering, we started a project to create a CA from scratch. 
I led the project and it had a budget of US$250K. I code-named the project 
Casablanca. Partially because Casablanca begins and ends with a CA, but mostly 
because I really like the phrase, I am shocked, shocked that PGP is issuing 
X.509 certificates. 

The process for setting up a CA is straightforward and exacting. You have to 
have physical and logical controls on things, dual-authentication and 
separation of duties on just about everything, but it's straightforward. You 
have to write a lot of documents, create a lot of procedures, and have all of 
that audited. You have to get audited regularly and often as you start out, and 
then the audits taper off after you show that you're running a tight ship. 

The main thing you're looking to do is to pass the WebTrust audit and 
associated practices that the platforms will require you to do. Microsoft has 
the most mature process. They have a set of rules and guidelines. If you follow 
them, you're in. One of those, by the way, is that you have to be a retail CA, 
as opposed to an internal one or a government one. It's best to work with 
Microsoft first, and once you're in their root program move to the others. They 
are fair, disciplined, and helpful. Most of all, once you've gone through all 
that, it's easier to get into the other important root stores.

If you go into this business with the attitude that you're doing a job that 
protects the Internet at large, defends the public trust, and so on, then 
you'll find the requirements completely reasonable and easy to do. 

Now that $250K that I spent got an offline root CA and an intermediate online 
CA. The intermediate was not capable of supporting workloads that would make 
you a major business. You need a data center after that, that supports the 
workloads that your business requires. But of course, you can grow that with 
your customer workload, and you can buy the datacenter space you need.

The costs got split out to about 40% hardware, etc. and 60% people. It does not 
include the people costs of the internal PGP personnel who worked on it. I 
raided part time help from around the company. It took about fourteen months 
from start to end.

PGP bought an existing company, TrustCenter. TrustCenter was the remaining end 
of GeoTrust (spun out Equifax) that Verisign did not buy. The plan was that the 
PGP-branded Casablanca roots would be put into the TrustCenter machinery and 
datacenters, and then you have a major CA. That got interrupted by Symantec 
buying PGP and then buying Verisign. Casablanca is now rolled up into their 
Norton CA business along with Verisign and Thawte, GeoTrust, etc.

There are rumors, which you've read here about how there are lots of 
underhanded obstacles in the way of becoming a CA. My experience is that the 
only underhanded part of the industry is that no one in it dispels the rumors 
that there are underhanded obstacles in your path. This is pretty much the 
first time I have, so I suppose I'm as guilty as anyone else.

Furthermore, there are lots of overblown rumors about the CA/Browser Forum. You 
don't have to be a Forum member to be a CA. If you plan to issue EV 
certificates, you have to follow the EV guidelines which are produced by the 
CA/Browser Forum, but that is because the platforms won't put your EV root in 
their stores unless you do. You don't have to be a member of the Forum to be a 
CA. As a matter of fact, there are a large number of CAs that are not members.

The situation is similar to Internet protocols and the IETF. If you want to 
make routers, you don't have to be a member of the IETF. You *will* have to 
follow IETF documents, but you don't have to participate. Obviously, there are 
advantages in participating, but there are also costs.

I was involved in the CA/Browser Forum for a few years, first with Apple (on 
the browser end) and then with Entrust (on the CA end). I heard the stories 
about how it's a cartel, etc. At PGP, we had no plans to be members because we 
had no interest in being part of a cartel. It was a huge disappointment to be 
there and find out that it isn't a cartel at all, it's a volunteer organization 
that handles lots of the rough edges of web PKI with the same combination of 
spurts of efficiency and spurts of fecklessness that you find in just about any 
organization that tries to get a bunch of organizations with different goals to 
work together.

Presently, the Forum is 

Re: [cryptography] How much does it cost to start a root CA ?

[Ryan Hurst]

A great write up Jon!

As you know in a past life I was responsible for the Microsoft Root program and 
introduced much of the process that is used today - It really makes me happy to 
someone speak positively possibly about what they do and I couldn't agree more.

The only thing I would change in your description below Is that Microsoft does 
allow government CA's to be included in the program as do most if the other 
root programs.

See: http://unmitigatedrisk.com/?p=181

Requirement is that the CA is designed and operated with the purpose of serving 
the Internet a large not in a commercial sense.

With that said I agree with everything you said other than that.

Ryan Hurst


Sent from my phone, please forgive the brevity.

On Jan 5, 2013, at 11:42 AM, Jon Callas j...@callas.org wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I'm really glad you asked this question. It gives me to tell a story I've 
 wanted to tell for some time. I know the answer to your question because I've 
 done it.
 
 Some years ago, PGP Corporation toyed off and on with the idea of becoming a 
 CA. We looked at ways to get there through the side door, like buying the 
 assets of some company that was going out of business, and managed to be too 
 little, too late.
 
 So after a lot of dithering, we started a project to create a CA from 
 scratch. I led the project and it had a budget of US$250K. I code-named the 
 project Casablanca. Partially because Casablanca begins and ends with a CA, 
 but mostly because I really like the phrase, I am shocked, shocked that PGP 
 is issuing X.509 certificates. 
 
 The process for setting up a CA is straightforward and exacting. You have to 
 have physical and logical controls on things, dual-authentication and 
 separation of duties on just about everything, but it's straightforward. You 
 have to write a lot of documents, create a lot of procedures, and have all of 
 that audited. You have to get audited regularly and often as you start out, 
 and then the audits taper off after you show that you're running a tight 
 ship. 
 
 The main thing you're looking to do is to pass the WebTrust audit and 
 associated practices that the platforms will require you to do. Microsoft has 
 the most mature process. They have a set of rules and guidelines. If you 
 follow them, you're in. One of those, by the way, is that you have to be a 
 retail CA, as opposed to an internal one or a government one. It's best to 
 work with Microsoft first, and once you're in their root program move to the 
 others. They are fair, disciplined, and helpful. Most of all, once you've 
 gone through all that, it's easier to get into the other important root 
 stores.
 
 If you go into this business with the attitude that you're doing a job that 
 protects the Internet at large, defends the public trust, and so on, then 
 you'll find the requirements completely reasonable and easy to do. 
 
 Now that $250K that I spent got an offline root CA and an intermediate online 
 CA. The intermediate was not capable of supporting workloads that would make 
 you a major business. You need a data center after that, that supports the 
 workloads that your business requires. But of course, you can grow that with 
 your customer workload, and you can buy the datacenter space you need.
 
 The costs got split out to about 40% hardware, etc. and 60% people. It does 
 not include the people costs of the internal PGP personnel who worked on it. 
 I raided part time help from around the company. It took about fourteen 
 months from start to end.
 
 PGP bought an existing company, TrustCenter. TrustCenter was the remaining 
 end of GeoTrust (spun out Equifax) that Verisign did not buy. The plan was 
 that the PGP-branded Casablanca roots would be put into the TrustCenter 
 machinery and datacenters, and then you have a major CA. That got interrupted 
 by Symantec buying PGP and then buying Verisign. Casablanca is now rolled up 
 into their Norton CA business along with Verisign and Thawte, GeoTrust, etc.
 
 There are rumors, which you've read here about how there are lots of 
 underhanded obstacles in the way of becoming a CA. My experience is that the 
 only underhanded part of the industry is that no one in it dispels the rumors 
 that there are underhanded obstacles in your path. This is pretty much the 
 first time I have, so I suppose I'm as guilty as anyone else.
 
 Furthermore, there are lots of overblown rumors about the CA/Browser Forum. 
 You don't have to be a Forum member to be a CA. If you plan to issue EV 
 certificates, you have to follow the EV guidelines which are produced by the 
 CA/Browser Forum, but that is because the platforms won't put your EV root in 
 their stores unless you do. You don't have to be a member of the Forum to be 
 a CA. As a matter of fact, there are a large number of CAs that are not 
 members.
 
 The situation is similar to Internet protocols and the IETF. If you want to 
 make routers, you 

Re: [cryptography] How much does it cost to start a root CA ?

[John Case]

Jon,

Many thanks for this very informative post - really appreciated.

Some comments, below...


On Sat, 5 Jan 2013, Jon Callas wrote:

Now that $250K that I spent got an offline root CA and an intermediate 
online CA. The intermediate was not capable of supporting workloads that 
would make you a major business. You need a data center after that, that 
supports the workloads that your business requires. But of course, you 
can grow that with your customer workload, and you can buy the 
datacenter space you need.



You're the second person in this thread to mention hardware and datacenter 
costs ... and while I don't want to drift too far into a blood and guts 
sysadmin rundown, I am curious...  Are you talking about the customer 
facing, retail side of things with the webservers and the load balancers 
and all of the things that make a robust web presence or are you talking 
strictly the x.509 components ?


Because it seems to me (naive ?) that even a very high volume x.509 
signing operation is ... maybe a pair of good 1u servers and a rack at a 
decent (sas70/pci/blah/blah) datacenter ... ?  Ok, a firewall and maybe 
some IDS system ... but we're still only a handful of 1u boxes and a 
quarter of a rack...


Perhaps it's this kind of thinking that leads to failed audits :)


There are rumors, which you've read here about how there are lots of 
underhanded obstacles in the way of becoming a CA. My experience is that 
the only underhanded part of the industry is that no one in it dispels 
the rumors that there are underhanded obstacles in your path. This is 
pretty much the first time I have, so I suppose I'm as guilty as anyone 
else.



That's nice to know, and I'm heartened that all the way into 2012 this is 
still the case, but ... boy oh boy does this look and smell like a 
marketplace ripe for monopolization and a cartel ... it's almost a classic 
case.


I think the presence of a major browser that is a community, independent 
effort is an interesting wrinkle, and the fickleness of the browsing 
public (how fast did chrome shoot up the charts ?  Safari ?) adds a 
wrinkle too, but ... there's no way the large, entrenched players aren't 
sitting around thinking gee we have a nice thing going here...  Not a 
conspiracy theory, just common sense...


Thanks again for a really thougt-provoking post.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Ryan Sleevi]

On Sat, January 5, 2013 10:10 pm, John Case wrote:

  Jon,

  Many thanks for this very informative post - really appreciated.

  Some comments, below...


  On Sat, 5 Jan 2013, Jon Callas wrote:

  Now that $250K that I spent got an offline root CA and an intermediate
  online CA. The intermediate was not capable of supporting workloads that
  would make you a major business. You need a data center after that, that
  supports the workloads that your business requires. But of course, you
  can grow that with your customer workload, and you can buy the
  datacenter space you need.


  You're the second person in this thread to mention hardware and datacenter
  costs ... and while I don't want to drift too far into a blood and guts
  sysadmin rundown, I am curious...  Are you talking about the customer
  facing, retail side of things with the webservers and the load balancers
  and all of the things that make a robust web presence or are you talking
  strictly the x.509 components ?

  Because it seems to me (naive ?) that even a very high volume x.509
  signing operation is ... maybe a pair of good 1u servers and a rack at a
  decent (sas70/pci/blah/blah) datacenter ... ?  Ok, a firewall and maybe
  some IDS system ... but we're still only a handful of 1u boxes and a
  quarter of a rack...

  Perhaps it's this kind of thinking that leads to failed audits :)

It will, it does, and the information is readily available from the
previous post.

https://www.cabforum.org/Baseline_Requirements_V1_1.pdf Sections 14
through 16

Additionally, https://www.cabforum.org/Network_Security_Controls_V1.pdf
describes a series of controls jointly developed by the browsers and CAs.
While I'm not aware of any Browser program requiring them *yet*, I think
any person concerned about the trust online would say Yes, these are all
sensible requirements - stuff that should be obvious for any entity
granted the ability to affect global Internet trust.

You can further find the details of the *existing* requirements for
Physical Security by looking through the recognized Audit programs, such
as WebTrust. See http://www.webtrust.org/homepage-documents/item54279.pdf
- in particular, Sections 3.4 and 3.5

Is it a perfect system? No. But even if the CA/Browser Forum is not fully
open (yet?), improvements can certainly be made to and through Mozilla,
given the openness and transparency that they maintain with their root
certificate policies.
https://lists.mozilla.org/listinfo/dev-security-policy as always - where
you can discuss things such as Mozilla's proposed policy changes,
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html



  There are rumors, which you've read here about how there are lots of
  underhanded obstacles in the way of becoming a CA. My experience is that
  the only underhanded part of the industry is that no one in it dispels
  the rumors that there are underhanded obstacles in your path. This is
  pretty much the first time I have, so I suppose I'm as guilty as anyone
  else.


  That's nice to know, and I'm heartened that all the way into 2012 this is
  still the case, but ... boy oh boy does this look and smell like a
  marketplace ripe for monopolization and a cartel ... it's almost a classic
  case.

  I think the presence of a major browser that is a community, independent
  effort is an interesting wrinkle, and the fickleness of the browsing
  public (how fast did chrome shoot up the charts ?  Safari ?) adds a
  wrinkle too, but ... there's no way the large, entrenched players aren't
  sitting around thinking gee we have a nice thing going here...  Not a
  conspiracy theory, just common sense...

You're disregarding the dynamics at play here. The CA's don't set the
requirements - the browsers do.

Yes, the browsers take input from the CAs, but they also (and in
particular, Mozilla) take input from their constituents. Whether you're a
closed-source vendor listening to your customers or an open-source
organization with a public process, there's still a great desire from the
browser vendors to engage the community. Nor is it in the browser vendors'
interests to ignore their users or their users' security. I don't think
any browser wants to be known as the *less* secure browser - we're all
jockeying to be *more* secure, especially where it matters most.

Any defensiveness is no doubt due to the fact that trust in the system
is shared between all participants - lose faith in one CA, and you lose
faith in all CAs. In that sense, existing CAs - particularly entranced
ones - have incentives to improve the state of the trust and security in
the overall system - the same thing users and browsers want most as well.
If the cost of improving the controls and security of the system is that
it means excluding CAs that are not prepared for the solemn public trust
that comes from being in the root stores, then that seems like a win for
all concerned parties.

I'm not trying to write an 

Re: [cryptography] How much does it cost to start a root CA ?

[Jeffrey Walton]

 Any defensiveness is no doubt due to the fact that trust in the system
 is shared between all participants - lose faith in one CA, and you lose
 faith in all CAs. In that sense, existing CAs - particularly entranced
 ones - have incentives to improve the state of the trust and security in
 the overall system
Disagree. They don't have an incentive. In fact, it has been shown
that bad behavior is acceptable, which is an implicit encouragement.

Mozilla and Microsoft (and et al) set a horrible precedent. I know its
Microsoft too because I personally filed the bug report against
Trustwave.

Jeff

On Sun, Jan 6, 2013 at 1:48 AM, Ryan Sleevi
ryan+cryptogra...@sleevi.com wrote:
 On Sat, January 5, 2013 10:10 pm, John Case wrote:

  Jon,

  Many thanks for this very informative post - really appreciated.

  Some comments, below...


  On Sat, 5 Jan 2013, Jon Callas wrote:

  Now that $250K that I spent got an offline root CA and an intermediate
  online CA. The intermediate was not capable of supporting workloads that
  would make you a major business. You need a data center after that, that
  supports the workloads that your business requires. But of course, you
  can grow that with your customer workload, and you can buy the
  datacenter space you need.


  You're the second person in this thread to mention hardware and datacenter
  costs ... and while I don't want to drift too far into a blood and guts
  sysadmin rundown, I am curious...  Are you talking about the customer
  facing, retail side of things with the webservers and the load balancers
  and all of the things that make a robust web presence or are you talking
  strictly the x.509 components ?

  Because it seems to me (naive ?) that even a very high volume x.509
  signing operation is ... maybe a pair of good 1u servers and a rack at a
  decent (sas70/pci/blah/blah) datacenter ... ?  Ok, a firewall and maybe
  some IDS system ... but we're still only a handful of 1u boxes and a
  quarter of a rack...

  Perhaps it's this kind of thinking that leads to failed audits :)

 It will, it does, and the information is readily available from the
 previous post.

 https://www.cabforum.org/Baseline_Requirements_V1_1.pdf Sections 14
 through 16

 Additionally, https://www.cabforum.org/Network_Security_Controls_V1.pdf
 describes a series of controls jointly developed by the browsers and CAs.
 While I'm not aware of any Browser program requiring them *yet*, I think
 any person concerned about the trust online would say Yes, these are all
 sensible requirements - stuff that should be obvious for any entity
 granted the ability to affect global Internet trust.

 You can further find the details of the *existing* requirements for
 Physical Security by looking through the recognized Audit programs, such
 as WebTrust. See http://www.webtrust.org/homepage-documents/item54279.pdf
 - in particular, Sections 3.4 and 3.5

 Is it a perfect system? No. But even if the CA/Browser Forum is not fully
 open (yet?), improvements can certainly be made to and through Mozilla,
 given the openness and transparency that they maintain with their root
 certificate policies.
 https://lists.mozilla.org/listinfo/dev-security-policy as always - where
 you can discuss things such as Mozilla's proposed policy changes,
 http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html



  There are rumors, which you've read here about how there are lots of
  underhanded obstacles in the way of becoming a CA. My experience is that
  the only underhanded part of the industry is that no one in it dispels
  the rumors that there are underhanded obstacles in your path. This is
  pretty much the first time I have, so I suppose I'm as guilty as anyone
  else.


  That's nice to know, and I'm heartened that all the way into 2012 this is
  still the case, but ... boy oh boy does this look and smell like a
  marketplace ripe for monopolization and a cartel ... it's almost a classic
  case.

  I think the presence of a major browser that is a community, independent
  effort is an interesting wrinkle, and the fickleness of the browsing
  public (how fast did chrome shoot up the charts ?  Safari ?) adds a
  wrinkle too, but ... there's no way the large, entrenched players aren't
  sitting around thinking gee we have a nice thing going here...  Not a
  conspiracy theory, just common sense...

 You're disregarding the dynamics at play here. The CA's don't set the
 requirements - the browsers do.

 Yes, the browsers take input from the CAs, but they also (and in
 particular, Mozilla) take input from their constituents. Whether you're a
 closed-source vendor listening to your customers or an open-source
 organization with a public process, there's still a great desire from the
 browser vendors to engage the community. Nor is it in the browser vendors'
 interests to ignore their users or their users' security. I don't think
 any browser wants to be known as the *less* secure browser - 

Re: [cryptography] How much does it cost to start a root CA ?

[James A. Donald]

On 2013-01-05 9:31 AM, Ryan Sleevi wrote:

On Fri, January 4, 2013 3:06 pm, James A. Donald wrote:

  On 2013-01-05 8:05 AM, Ryan Sleevi wrote

Can you explain how, exactly, incumbents leverage any power to keep new
entrants out?

  Such behavior is necessarily a deviation from official truth, from the
  way certification is supposed to work, thus the only way to observe such
  behavior would be if emails leaked, as in the climategate files where we
  saw how peer review actually worked..

  Analogously, regulators, financial audits and ratings agencies were
  supposed to ensure that banks only invested in safe stuff.  When the
  proverbial hit the fan, it became apparent that regulators, financial
  audits and ratings agencies in practice ensured that banks only invested
  in politically correct stuff, but no one can explain how, exactly, this
  happened - well it is pretty obvious how it happened, and one can make a
  pretty good guess how it happened, but there is no direct official
  evidence as to how it happened.

While I appreciate a good bit of paranoia and tin-foil hat wagging as much
as the next person, I think your analogy breaks down pretty critically.

In the case you referenced, it was the role of auditors and regulators to
keep people out / keep people honest, and they failed, and so more people
/ dishonest people got in.


Regulators such as Jon Corzine?

They did not fail.  In the US most of the money that was pissed away 
in the great financial crisis was not pissed away on financial 
engineering, splitting derivatives, and enriching bankers, but on 
rewarding targeted voting blocks and specific get-out-the-vote 
organizations - from which may infer what went on behind the scenes, 
plus some small amount of what went on behind the scenes has been 
revealed, leading to the suspicion that behind the scenes, it was all 
like that.




  However, the speculation about CA collusion
requires the CAs to be working hard to keep new entrants out - the exact
*opposite* behaviour.


Long established bankers, such as Angelo Mozillo, heading long 
established banks, made dud loans and bribed government employees to 
take the loans off his hands at face value,   Who were these new 
entrants of which you speak?  Jon Corzine?


Similarly, long established CAs, such as verisign, presumably bribe 
existing browser teams.



___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[James A. Donald]

On 2013-01-05 12:07 PM, Morlock Elloi wrote:

Correct. The cost of being CA is equal to the cost of getting CA signing pub 
key into the target audience browsers.

You can (sorted by increasing security, starting with zero):

1 - go through browser vendors,
2 - have your users to install additional CA key into their existing browsers 
(and perhaps remove others), or
3 - distribute your own browser package.

Pick one.


Most of the browsers are open source.  A fork could be justified by 
adding privacy value or security value, as, for example, SRWare Iron or 
the Tor browser.


This also applies pressure on the major browsers to refrain from too 
flagrantly violating their customer's privacy.


Perhaps we need a browser that facilitates communication and interaction 
between the holder of one bitcoin key and the holder of another.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[John Case]

On Fri, 4 Jan 2013, yersinia wrote:


Finally, it seems to me that since there re so few root CAs (~30 ?) and the
service provided is such an arbitrary, misunderstood one, that existing CAs
would be actively trying to prevent new entrants ... and establish
themsevles as toll collectors with a pseudo monopoly ... what evidence (if
any) do we have that they are pursuing such an ecosystem ?


Many today say that there are too many root CA, not a few. Is not it?
https://www.eff.org/observatory.



Maybe.  That's outside the scope of the questions I asked, though - I'm 
just interested in how difficult it is currently to start one, and what 
barriers the incumbents are putting into place...

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[John Case]

On Fri, 4 Jan 2013, Greg Rose wrote:

You could ask the folks at CAcert... I imagine Ian Grigg will also chime 
in. Certification costs a lot, and as you have observed, the incumbents 
try very hard to keep you out. Despite some reasonable sources of 
funding, CAcert still didn't succeed.



Well, I actually have not observed that, I just *assumed* it to be the 
case based on my general understanding of markets, etc.


So it appears that was a good assumption.  I would indeed like to hear 
about how the incumbents protect this turf and to what degree they are 
doing so ...

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Ryan Sleevi]

On Fri, January 4, 2013 12:59 pm, Greg Rose wrote:
  You could ask the folks at CAcert... I imagine Ian Grigg will also chime
  in. Certification costs a lot, and as you have observed, the incumbents
  try very hard to keep you out. Despite some reasonable sources of funding,
  CAcert still didn't succeed.

  Greg.

Can you explain how, exactly, incumbents leverage any power to keep new
entrants out?

The policies are set by the browsers/root store operators - not CAs.

Microsoft -
http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx
Apple - http://www.apple.com/certificateauthority/ca_program.html
Mozilla - http://www.mozilla.org/projects/security/certs/policy/
Opera - http://www.opera.com/docs/ca/

Consistent among them is that they require a WebTrust or ETSI audit -
audits which were designed to reflect the collective shared policies of
the browsers. Not collective action by CAs.

More recently, the browsers have begun to increase the minimum
requirements they expect of their root store participants, in light of
several prominent failures. These are memorialized in the CA/Browser
Forum's Baseline Requirements (
https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were
driven by browsers seeking to find a consistent, common agreement about
the requirements of their members.

CACert's failures have nothing to do with the actions of any incumbent CA,
but through an inability so far to meet the requirements set forth by the
browser programs they were seeking to be included in. Even Ian has
attested that Mozilla's policy is both clear and fair in this regard.


Additionally, there are not, as the original poster suggested, only 30
root CAs. This can be trivially discovered by examining the lists of CAs
included in these programs - which are all public.

Mozilla - http://www.mozilla.org/projects/security/certs/included/
Microsoft -
http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx
Apple -
http://opensource.apple.com/source/security_certificates/security_certificates-55024.2/
(OS X 10.8.2)
Opera - http://my.opera.com/rootstore/blog/


A lot of speculation on this thread, but the answers are readily and
trivially available.

Cheers,
Ryan


  On 2013 Jan 4, at 11:41 , John Case wrote:

 
  Let's assume hardware is zero ... it's a really variable cost, so I
  assume (correct me if I'm wrong) that it is a trivial cost compared to
  legal and audit costs, etc.
 
  So what does it cost to start a root CA, get properly audited (as I see
  the root CAs are) and get yourself included into, say, firefox or chrome
  ?
 
  A followup question would be:
 
  Is inclusion of a root CA in the major browsers a shall issue process
  ? hat is, you meet the criteria and you get in ?  Or is it a subjective,
  political process ?
 
  Finally, it seems to me that since there re so few root CAs (~30 ?) and
  the service provided is such an arbitrary, misunderstood one, that
  existing CAs would be actively trying to prevent new entrants ... and
  establish themsevles as toll collectors with a pseudo monopoly ... what
  evidence (if any) do we have that they are pursuing such an ecosystem ?
 
  Thank you.
  ___
  cryptography mailing list
  cryptography@randombit.net
  http://lists.randombit.net/mailman/listinfo/cryptography

  ___
  cryptography mailing list
  cryptography@randombit.net
  http://lists.randombit.net/mailman/listinfo/cryptography


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Ryan Sleevi]

On Fri, January 4, 2013 3:06 pm, James A. Donald wrote:
  On 2013-01-05 8:05 AM, Ryan Sleevi wrote
  Can you explain how, exactly, incumbents leverage any power to keep new
  entrants out?

  Such behavior is necessarily a deviation from official truth, from the
  way certification is supposed to work, thus the only way to observe such
  behavior would be if emails leaked, as in the climategate files where we
  saw how peer review actually worked..

  Analogously, regulators, financial audits and ratings agencies were
  supposed to ensure that banks only invested in safe stuff.  When the
  proverbial hit the fan, it became apparent that regulators, financial
  audits and ratings agencies in practice ensured that banks only invested
  in politically correct stuff, but no one can explain how, exactly, this
  happened - well it is pretty obvious how it happened, and one can make a
  pretty good guess how it happened, but there is no direct official
  evidence as to how it happened.

While I appreciate a good bit of paranoia and tin-foil hat wagging as much
as the next person, I think your analogy breaks down pretty critically.

In the case you referenced, it was the role of auditors and regulators to
keep people out / keep people honest, and they failed, and so more people
/ dishonest people got in. However, the speculation about CA collusion
requires the CAs to be working hard to keep new entrants out - the exact
*opposite* behaviour.

Such a conspiracy requires auditors colluding to keep new entrants out. To
be quite frank, I would be surprised if anyone on this list, concerned
about security, would be saddened or upset if they heard horror stories of
WebTrust auditors finding actionable concerns that kept new entrants out -
such as failures to adhere to their policies or unaddressed security
concerns.

At best, it means the market is incentivizing auditors to closely examine
new entrants for best practices. Is that a bad thing and does it really
demonstrate a vast CA conspiracy? Has there ever been a new CA, attempting
to get audited, who has said with a straight face that the audits are
unreasonably thorough? Shouldn't that be the bare minimum for having the
ability to affect trust globally?

So at best, we have FUD and unsubstantiated speculation about auditors
being too strict - at the same time that the browsers are working to
make the requirements more strict.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] How much does it cost to start a root CA ?

[Peter Gutmann]

John Case c...@sdf.org writes:

So what does it cost to start a root CA, get properly audited (as I see the
root CAs are) and get yourself included into, say, firefox or chrome ?

The rule of thumb I've seen from various inside sources is about $1M [0].
Obviously this can vary quite a lot based on whether you're starting from
scratch or already have secure facilities, vetted staff, etc, so it can go
much higher, but is unlikely to be lower.

Is inclusion of a root CA in the major browsers a shall issue process ? hat
is, you meet the criteria and you get in ?  Or is it a subjective, political
process ?

There's no bias that I've heard of, you check all the boxes to to confirm that
you've done what the browser vendors require, produce the auditor's OK, and
you're in.

To put it more succinctly, to be a root CA you just need to buy your way in.
I don't mean that in a cynical manner, it's just that that's what the bottom
line is, you need to spend enough money to get in, but if you're prepared to
do that then anyone can get it.

Finally, it seems to me that since there re so few root CAs (~30 ?) and the
service provided is such an arbitrary, misunderstood one, that existing CAs
would be actively trying to prevent new entrants ...

The extreme cost is enough of a barrier to getting in that it deters most new
entrants.  If you look at the root CAs that aren't mass-market ones (the
GoDaddy's and so on), they're all boutique CAs with captive markets or
national-prestige ones where cost isn't an object, so the overhead is enough
of a barrier to keep the riff-raff out.

Peter.

[0] In order to address an issue that's also come up with FIPS 140 where I've
said that the cost for a level 1 is $100K and people have claimed it's
much cheaper: If you claim you can get a root cert into all the major
browsers for a lot less than $1M then I'll connect you with people who
will want to get in at the price you quote, so you'll need to be prepared 
to put your money where you mouth is.  For FIPS 140 I've had an open offer 
on my home page for several years now to pay, in cash, the price that some 
people have quoted they can get it done for ($30K).  So far zero have 
taken me up on the offer.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography