Re: [cryptography] How much does it cost to start a root CA ?
On 6/01/13 09:48 AM, Ryan Sleevi wrote: Perhaps it's this kind of thinking that leads to failed audits :) It will, it does, and the information is readily available from the previous post. https://www.cabforum.org/Baseline_Requirements_V1_1.pdf Sections 14 through 16 Additionally, https://www.cabforum.org/Network_Security_Controls_V1.pdf describes a series of controls jointly developed by the browsers and CAs. Ryan, that's not true. I know it is easy to market the organsation as being open and friendly, but some of us weren't born last night. I think the truth is that it was developed by CABForum participants. In private. Right? And then announced it to the world here: 12 - June -2012 -- Today, the CA/Browser Forum released a draft Network and Certificate System Security Requirements for public review, comment, and discussion. Comments may be submitted through Friday, 22 June 2012 https://cabforum.org/pipermail/public/2012-June/000114.html Right? Truth is important, right? So faith in the product has a foundation? CABForum participants are on record on that date to push a new unreleased standard onto the world through Mozilla's public theater with: 10 days of public comment? Right? For the record: when was that document first worked on in CABForum? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
Bitcoin based DNS? That would be Namecoin. I am unsure if it also manages SSL or similiar link encryption or if that is a separate thing for the scheme. Den 6 jan 2013 08:27 skrev James A. Donald jam...@echeque.com: On 2013-01-05 12:07 PM, Morlock Elloi wrote: Correct. The cost of being CA is equal to the cost of getting CA signing pub key into the target audience browsers. You can (sorted by increasing security, starting with zero): 1 - go through browser vendors, 2 - have your users to install additional CA key into their existing browsers (and perhaps remove others), or 3 - distribute your own browser package. Pick one. Most of the browsers are open source. A fork could be justified by adding privacy value or security value, as, for example, SRWare Iron or the Tor browser. This also applies pressure on the major browsers to refrain from too flagrantly violating their customer's privacy. Perhaps we need a browser that facilitates communication and interaction between the holder of one bitcoin key and the holder of another. __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
Hi, Is inclusion of a root CA in the major browsers a shall issue process ? hat is, you meet the criteria and you get in ? Or is it a subjective, political process ? The process varies between browser vendors, with baseline requirements established in the CAB Forum. Audits are usually required. The process for Mozilla is open: there is a one-week time of debate in the group mozilla.dev.security.policy where everyone can chime in and help to analyse the inclusion request. Sadly, there are not that many participants, but that is understandable as the level of detail is high and understanding a CPS document is very demanding. There are some veterans, of course. My impression is that every voice is heard equally, and a summary of concerns then given at the end of the week. The CA is given a chance to fix that and can then be included. Rejections are extremely rare, I am not sure if I have seen even one in the past 3 years. It certainly was not more. I am not sure if some participants' opinion is given more weight than others (it might make sense), or how the resolution of concerns is handled afterwards. What I have seen repeatedly is discussion whether a CA operates for the general public (only those are deemed acceptable) or not. That seems to be a somewhat subjective criterion. What I have also seen was post-hoc debate about the inclusion of the Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the process: If participants do not have much time, the one-week discussion period may pass without many comments and a CA thus be included. In the case of CNNIC, many objections were raised afterwards as this CA had been allegedly associated with malware in the past; there was also concern the Chinese government might use it to issue the kind of MITM certificates we're worried about. No proof of any such activity could be given, and Mozilla decided that the fair approach was to keep them in. Ralph signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On Sat, Jan 5, 2013 at 8:05 AM, Ralph Holz h...@net.in.tum.de wrote: Hi, ... What I have also seen was post-hoc debate about the inclusion of the Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the process: If participants do not have much time, the one-week discussion period may pass without many comments and a CA thus be included. In the case of CNNIC, many objections were raised afterwards as this CA had been allegedly associated with malware in the past; there was also concern the Chinese government might use it to issue the kind of MITM certificates we're worried about. No proof of any such activity could be given, and Mozilla decided that the fair approach was to keep them in. I mark those certificates as untrusted. I was born at night, but not last night. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On 5/01/13 01:05 AM, Ryan Sleevi wrote: On Fri, January 4, 2013 12:59 pm, Greg Rose wrote: You could ask the folks at CAcert... I imagine Ian Grigg will also chime in. Certification costs a lot, and as you have observed, the incumbents try very hard to keep you out. Despite some reasonable sources of funding, CAcert still didn't succeed. Greg. Can you explain how, exactly, incumbents leverage any power to keep new entrants out? Ref OP's last para, bottom, and pgut's more detailed explanation. The technical term in economics art is barriers to entry. C.f., Micheal Porter's 5 forces, for those who really want references, and aren't just throwing the speculation mud around. The policies are set by the browsers/root store operators - not CAs. Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx Apple - http://www.apple.com/certificateauthority/ca_program.html Mozilla - http://www.mozilla.org/projects/security/certs/policy/ Opera - http://www.opera.com/docs/ca/ Who wrote the policies? Answer -- the vendors in consultation with the CAs. Fuller answer - observe that the vendors have little understanding of the industry, so they naturally lean on the participants to come up with a best practice. This process migrates naturally to the original incumbents raising the barriers. Consistent among them is that they require a WebTrust or ETSI audit - audits which were designed to reflect the collective shared policies of the browsers. Not collective action by CAs. Who promotes the audits? Short answer: The CAs who have them. Longer answer -- although the vendors agree with the audit process, very few of them can pin down how they help the user or the vendor. It's a regulation in place, not one that necessarily helps or proves anything. As a matter of my experience, the audits and auditors generally turn a blind eye to user interests, and generally concentrate on those things that the CAs think is important to them. Vendors however haven't the experience of the CAs nor the understanding of audit to see that. But they are content because they have acheived a compliance objective. Auditors don't care as long as they are respected and they get paid their fees. Everyone's happy. So what is the real question? This is mine: does the audit do anything positive for the users? My answer - no. More recently, the browsers have begun to increase the minimum requirements they expect of their root store participants, in light of several prominent failures. These are memorialized in the CA/Browser Forum's Baseline Requirements ( https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were driven by browsers seeking to find a consistent, common agreement about the requirements of their members. Yes. Barriers to entry, reading from the prayer book. CACert's failures have nothing to do with the actions of any incumbent CA, but through an inability so far to meet the requirements set forth by the browser programs they were seeking to be included in. That's mostly true but not entirely. When CAcert attempted to get into Mozilla, Mozilla didn't have a policy. Opera charged a flat rate for any CA to get in, no questions asked (more or less). Microsoft didn't have a policy but a secret legal process. Konqueror did whatever Mozilla did. WebTrust was optional, and easy. The supporters of CAs were amongst those who delayed CAcert in. The obvious question was raised what's your policy? It is impossible to separate out the CAs and the useful idiots in this respect, but the fact is that before it was trivial, more or less just small amounts of money. After it was expensive and difficult. And: few CAs that were in before were re-verified. Further, Mozilla's publication of an open, formally prepared and thought out policy (to which I contributed) did cause a wave of consolidation such that now, we're drowning in policies audits. The part that is true is that CAcert was not really at that time in a position to meet a proper reading of WebTrust. However, neither were many other CAs, including the ones with WebTrust :) CAcert wouldn't have met the needs of the first audit criteria, nor the first auditor. It took around 3 years for CAcert to meet its first audit criteria. But, no other CA will meet those needs now, either. They will all fail the audit criteria that CAcert used. Even Ian has attested that Mozilla's policy is both clear and fair in this regard. :) Mozilla's policies are fairly clear; but/and I had a hand in writing them. Indeed, before I took on the CAcert role, which is ironic. Fair. What is fair? That's a rabbit hole, don't go down it. I will however say that it is my opinion that the policies do not meet the needs of users. At all, in any way shape or form. Additionally, there are not, whatever. A lot of
Re: [cryptography] How much does it cost to start a root CA ?
On 5/01/13 00:01 AM, yersinia wrote: On Fri, Jan 4, 2013 at 8:41 PM, John Case c...@sdf.org wrote: Many today say that there are too many root CA, not a few. Is not it? https://www.eff.org/observatory. have i missing something ? Yes - the number of CAs is not so relevant to the question. Don't get distracted. What OP introduced was an economic theory that says that incumbents seek to group together, create cartels and raise barriers to entry. This indeed is what has happened, and the name of the cartel is CABForum. It's a bit more complicated than the straight theory has it, as for example it was open for any CA to apply to join. And it is a cartel across 3 sectors: CAs, auditors, vendors. If you know your cartel theory, look at De Beers. Sadly, of course, there are far too few economists and business people in the area of cryptography and PKI, so talking about the economic theory of cartels and so forth is wasted. The normal response will be for the supporters to chime in, shout the economists down, insist they prove their points, and drown out the dissent. It's worked up until recently :) Unfortunately in 2011, the wheels came off and the number of CA embarrassments sky-rocketed. Something wasn't right ... and the debate has been on. CABForum responded by tightening the wheel nuts, which is exactly what the theory of cartels expects: Do what we are doing, but do it much better and more expensively. Show everyone! But don't change the rules that keep us in business. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
Before joining Globalsign a year ago I was an observer to what was going on in the CA industry. Personally I saw (and still do see) value in the services that a CA offers and believe that for the large majority of users on the Internet there is value in knowing who is behind domain name. I also felt that given the reality of where we are with technology and how long it takes for new technology to be deployed on a global scale CA's will be around for quite some. I saw all of this an opportunity to try to change things for the better built a model and associated business plan for creating another CA. That exercise showed that to build an operational data center with sufficient scale, security, computing power, and security would cost around 1.5 million dollars. That with this expenditure under your belt that you would need to wait four years before you had a viable product offering and were able to compete. You would then either need to eat the operational costs for four years which would run a around three quarters of a million each year or diversify your business and invest into other product areas to offset those costs. You could shortcut this waiting by finding somebody who is already trusted and cross certifying with them but no CA's were no considering such propositions. As such I would argue the cost of entering this industry as a certificate authority that serves the Internet at large is approximately US $5 million and 4 years. Ryan Hurst Sent from my phone, please forgive the brevity. On Jan 5, 2013, at 7:02 AM, ianG i...@iang.org wrote: On 5/01/13 04:44 AM, Peter Gutmann wrote: John Case c...@sdf.org writes: So what does it cost to start a root CA, get properly audited (as I see the root CAs are) and get yourself included into, say, firefox or chrome ? The rule of thumb I've seen from various inside sources is about $1M [0]. Nod. From the audit perspective alone, the rule of thumb we worked with was minimum $0.25M for the audits alone. That didn't include the work the CA did, just the fees to the auditors. From there, it isn't a stretch to reach Peter's number above for the total cost. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography smime.p7s Description: S/MIME cryptographic signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm really glad you asked this question. It gives me to tell a story I've wanted to tell for some time. I know the answer to your question because I've done it. Some years ago, PGP Corporation toyed off and on with the idea of becoming a CA. We looked at ways to get there through the side door, like buying the assets of some company that was going out of business, and managed to be too little, too late. So after a lot of dithering, we started a project to create a CA from scratch. I led the project and it had a budget of US$250K. I code-named the project Casablanca. Partially because Casablanca begins and ends with a CA, but mostly because I really like the phrase, I am shocked, shocked that PGP is issuing X.509 certificates. The process for setting up a CA is straightforward and exacting. You have to have physical and logical controls on things, dual-authentication and separation of duties on just about everything, but it's straightforward. You have to write a lot of documents, create a lot of procedures, and have all of that audited. You have to get audited regularly and often as you start out, and then the audits taper off after you show that you're running a tight ship. The main thing you're looking to do is to pass the WebTrust audit and associated practices that the platforms will require you to do. Microsoft has the most mature process. They have a set of rules and guidelines. If you follow them, you're in. One of those, by the way, is that you have to be a retail CA, as opposed to an internal one or a government one. It's best to work with Microsoft first, and once you're in their root program move to the others. They are fair, disciplined, and helpful. Most of all, once you've gone through all that, it's easier to get into the other important root stores. If you go into this business with the attitude that you're doing a job that protects the Internet at large, defends the public trust, and so on, then you'll find the requirements completely reasonable and easy to do. Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need. The costs got split out to about 40% hardware, etc. and 60% people. It does not include the people costs of the internal PGP personnel who worked on it. I raided part time help from around the company. It took about fourteen months from start to end. PGP bought an existing company, TrustCenter. TrustCenter was the remaining end of GeoTrust (spun out Equifax) that Verisign did not buy. The plan was that the PGP-branded Casablanca roots would be put into the TrustCenter machinery and datacenters, and then you have a major CA. That got interrupted by Symantec buying PGP and then buying Verisign. Casablanca is now rolled up into their Norton CA business along with Verisign and Thawte, GeoTrust, etc. There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else. Furthermore, there are lots of overblown rumors about the CA/Browser Forum. You don't have to be a Forum member to be a CA. If you plan to issue EV certificates, you have to follow the EV guidelines which are produced by the CA/Browser Forum, but that is because the platforms won't put your EV root in their stores unless you do. You don't have to be a member of the Forum to be a CA. As a matter of fact, there are a large number of CAs that are not members. The situation is similar to Internet protocols and the IETF. If you want to make routers, you don't have to be a member of the IETF. You *will* have to follow IETF documents, but you don't have to participate. Obviously, there are advantages in participating, but there are also costs. I was involved in the CA/Browser Forum for a few years, first with Apple (on the browser end) and then with Entrust (on the CA end). I heard the stories about how it's a cartel, etc. At PGP, we had no plans to be members because we had no interest in being part of a cartel. It was a huge disappointment to be there and find out that it isn't a cartel at all, it's a volunteer organization that handles lots of the rough edges of web PKI with the same combination of spurts of efficiency and spurts of fecklessness that you find in just about any organization that tries to get a bunch of organizations with different goals to work together. Presently, the Forum is
Re: [cryptography] How much does it cost to start a root CA ?
A great write up Jon! As you know in a past life I was responsible for the Microsoft Root program and introduced much of the process that is used today - It really makes me happy to someone speak positively possibly about what they do and I couldn't agree more. The only thing I would change in your description below Is that Microsoft does allow government CA's to be included in the program as do most if the other root programs. See: http://unmitigatedrisk.com/?p=181 Requirement is that the CA is designed and operated with the purpose of serving the Internet a large not in a commercial sense. With that said I agree with everything you said other than that. Ryan Hurst Sent from my phone, please forgive the brevity. On Jan 5, 2013, at 11:42 AM, Jon Callas j...@callas.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm really glad you asked this question. It gives me to tell a story I've wanted to tell for some time. I know the answer to your question because I've done it. Some years ago, PGP Corporation toyed off and on with the idea of becoming a CA. We looked at ways to get there through the side door, like buying the assets of some company that was going out of business, and managed to be too little, too late. So after a lot of dithering, we started a project to create a CA from scratch. I led the project and it had a budget of US$250K. I code-named the project Casablanca. Partially because Casablanca begins and ends with a CA, but mostly because I really like the phrase, I am shocked, shocked that PGP is issuing X.509 certificates. The process for setting up a CA is straightforward and exacting. You have to have physical and logical controls on things, dual-authentication and separation of duties on just about everything, but it's straightforward. You have to write a lot of documents, create a lot of procedures, and have all of that audited. You have to get audited regularly and often as you start out, and then the audits taper off after you show that you're running a tight ship. The main thing you're looking to do is to pass the WebTrust audit and associated practices that the platforms will require you to do. Microsoft has the most mature process. They have a set of rules and guidelines. If you follow them, you're in. One of those, by the way, is that you have to be a retail CA, as opposed to an internal one or a government one. It's best to work with Microsoft first, and once you're in their root program move to the others. They are fair, disciplined, and helpful. Most of all, once you've gone through all that, it's easier to get into the other important root stores. If you go into this business with the attitude that you're doing a job that protects the Internet at large, defends the public trust, and so on, then you'll find the requirements completely reasonable and easy to do. Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need. The costs got split out to about 40% hardware, etc. and 60% people. It does not include the people costs of the internal PGP personnel who worked on it. I raided part time help from around the company. It took about fourteen months from start to end. PGP bought an existing company, TrustCenter. TrustCenter was the remaining end of GeoTrust (spun out Equifax) that Verisign did not buy. The plan was that the PGP-branded Casablanca roots would be put into the TrustCenter machinery and datacenters, and then you have a major CA. That got interrupted by Symantec buying PGP and then buying Verisign. Casablanca is now rolled up into their Norton CA business along with Verisign and Thawte, GeoTrust, etc. There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else. Furthermore, there are lots of overblown rumors about the CA/Browser Forum. You don't have to be a Forum member to be a CA. If you plan to issue EV certificates, you have to follow the EV guidelines which are produced by the CA/Browser Forum, but that is because the platforms won't put your EV root in their stores unless you do. You don't have to be a member of the Forum to be a CA. As a matter of fact, there are a large number of CAs that are not members. The situation is similar to Internet protocols and the IETF. If you want to make routers, you
Re: [cryptography] How much does it cost to start a root CA ?
Jon, Many thanks for this very informative post - really appreciated. Some comments, below... On Sat, 5 Jan 2013, Jon Callas wrote: Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need. You're the second person in this thread to mention hardware and datacenter costs ... and while I don't want to drift too far into a blood and guts sysadmin rundown, I am curious... Are you talking about the customer facing, retail side of things with the webservers and the load balancers and all of the things that make a robust web presence or are you talking strictly the x.509 components ? Because it seems to me (naive ?) that even a very high volume x.509 signing operation is ... maybe a pair of good 1u servers and a rack at a decent (sas70/pci/blah/blah) datacenter ... ? Ok, a firewall and maybe some IDS system ... but we're still only a handful of 1u boxes and a quarter of a rack... Perhaps it's this kind of thinking that leads to failed audits :) There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else. That's nice to know, and I'm heartened that all the way into 2012 this is still the case, but ... boy oh boy does this look and smell like a marketplace ripe for monopolization and a cartel ... it's almost a classic case. I think the presence of a major browser that is a community, independent effort is an interesting wrinkle, and the fickleness of the browsing public (how fast did chrome shoot up the charts ? Safari ?) adds a wrinkle too, but ... there's no way the large, entrenched players aren't sitting around thinking gee we have a nice thing going here... Not a conspiracy theory, just common sense... Thanks again for a really thougt-provoking post. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On Sat, January 5, 2013 10:10 pm, John Case wrote: Jon, Many thanks for this very informative post - really appreciated. Some comments, below... On Sat, 5 Jan 2013, Jon Callas wrote: Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need. You're the second person in this thread to mention hardware and datacenter costs ... and while I don't want to drift too far into a blood and guts sysadmin rundown, I am curious... Are you talking about the customer facing, retail side of things with the webservers and the load balancers and all of the things that make a robust web presence or are you talking strictly the x.509 components ? Because it seems to me (naive ?) that even a very high volume x.509 signing operation is ... maybe a pair of good 1u servers and a rack at a decent (sas70/pci/blah/blah) datacenter ... ? Ok, a firewall and maybe some IDS system ... but we're still only a handful of 1u boxes and a quarter of a rack... Perhaps it's this kind of thinking that leads to failed audits :) It will, it does, and the information is readily available from the previous post. https://www.cabforum.org/Baseline_Requirements_V1_1.pdf Sections 14 through 16 Additionally, https://www.cabforum.org/Network_Security_Controls_V1.pdf describes a series of controls jointly developed by the browsers and CAs. While I'm not aware of any Browser program requiring them *yet*, I think any person concerned about the trust online would say Yes, these are all sensible requirements - stuff that should be obvious for any entity granted the ability to affect global Internet trust. You can further find the details of the *existing* requirements for Physical Security by looking through the recognized Audit programs, such as WebTrust. See http://www.webtrust.org/homepage-documents/item54279.pdf - in particular, Sections 3.4 and 3.5 Is it a perfect system? No. But even if the CA/Browser Forum is not fully open (yet?), improvements can certainly be made to and through Mozilla, given the openness and transparency that they maintain with their root certificate policies. https://lists.mozilla.org/listinfo/dev-security-policy as always - where you can discuss things such as Mozilla's proposed policy changes, http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else. That's nice to know, and I'm heartened that all the way into 2012 this is still the case, but ... boy oh boy does this look and smell like a marketplace ripe for monopolization and a cartel ... it's almost a classic case. I think the presence of a major browser that is a community, independent effort is an interesting wrinkle, and the fickleness of the browsing public (how fast did chrome shoot up the charts ? Safari ?) adds a wrinkle too, but ... there's no way the large, entrenched players aren't sitting around thinking gee we have a nice thing going here... Not a conspiracy theory, just common sense... You're disregarding the dynamics at play here. The CA's don't set the requirements - the browsers do. Yes, the browsers take input from the CAs, but they also (and in particular, Mozilla) take input from their constituents. Whether you're a closed-source vendor listening to your customers or an open-source organization with a public process, there's still a great desire from the browser vendors to engage the community. Nor is it in the browser vendors' interests to ignore their users or their users' security. I don't think any browser wants to be known as the *less* secure browser - we're all jockeying to be *more* secure, especially where it matters most. Any defensiveness is no doubt due to the fact that trust in the system is shared between all participants - lose faith in one CA, and you lose faith in all CAs. In that sense, existing CAs - particularly entranced ones - have incentives to improve the state of the trust and security in the overall system - the same thing users and browsers want most as well. If the cost of improving the controls and security of the system is that it means excluding CAs that are not prepared for the solemn public trust that comes from being in the root stores, then that seems like a win for all concerned parties. I'm not trying to write an
Re: [cryptography] How much does it cost to start a root CA ?
Any defensiveness is no doubt due to the fact that trust in the system is shared between all participants - lose faith in one CA, and you lose faith in all CAs. In that sense, existing CAs - particularly entranced ones - have incentives to improve the state of the trust and security in the overall system Disagree. They don't have an incentive. In fact, it has been shown that bad behavior is acceptable, which is an implicit encouragement. Mozilla and Microsoft (and et al) set a horrible precedent. I know its Microsoft too because I personally filed the bug report against Trustwave. Jeff On Sun, Jan 6, 2013 at 1:48 AM, Ryan Sleevi ryan+cryptogra...@sleevi.com wrote: On Sat, January 5, 2013 10:10 pm, John Case wrote: Jon, Many thanks for this very informative post - really appreciated. Some comments, below... On Sat, 5 Jan 2013, Jon Callas wrote: Now that $250K that I spent got an offline root CA and an intermediate online CA. The intermediate was not capable of supporting workloads that would make you a major business. You need a data center after that, that supports the workloads that your business requires. But of course, you can grow that with your customer workload, and you can buy the datacenter space you need. You're the second person in this thread to mention hardware and datacenter costs ... and while I don't want to drift too far into a blood and guts sysadmin rundown, I am curious... Are you talking about the customer facing, retail side of things with the webservers and the load balancers and all of the things that make a robust web presence or are you talking strictly the x.509 components ? Because it seems to me (naive ?) that even a very high volume x.509 signing operation is ... maybe a pair of good 1u servers and a rack at a decent (sas70/pci/blah/blah) datacenter ... ? Ok, a firewall and maybe some IDS system ... but we're still only a handful of 1u boxes and a quarter of a rack... Perhaps it's this kind of thinking that leads to failed audits :) It will, it does, and the information is readily available from the previous post. https://www.cabforum.org/Baseline_Requirements_V1_1.pdf Sections 14 through 16 Additionally, https://www.cabforum.org/Network_Security_Controls_V1.pdf describes a series of controls jointly developed by the browsers and CAs. While I'm not aware of any Browser program requiring them *yet*, I think any person concerned about the trust online would say Yes, these are all sensible requirements - stuff that should be obvious for any entity granted the ability to affect global Internet trust. You can further find the details of the *existing* requirements for Physical Security by looking through the recognized Audit programs, such as WebTrust. See http://www.webtrust.org/homepage-documents/item54279.pdf - in particular, Sections 3.4 and 3.5 Is it a perfect system? No. But even if the CA/Browser Forum is not fully open (yet?), improvements can certainly be made to and through Mozilla, given the openness and transparency that they maintain with their root certificate policies. https://lists.mozilla.org/listinfo/dev-security-policy as always - where you can discuss things such as Mozilla's proposed policy changes, http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html There are rumors, which you've read here about how there are lots of underhanded obstacles in the way of becoming a CA. My experience is that the only underhanded part of the industry is that no one in it dispels the rumors that there are underhanded obstacles in your path. This is pretty much the first time I have, so I suppose I'm as guilty as anyone else. That's nice to know, and I'm heartened that all the way into 2012 this is still the case, but ... boy oh boy does this look and smell like a marketplace ripe for monopolization and a cartel ... it's almost a classic case. I think the presence of a major browser that is a community, independent effort is an interesting wrinkle, and the fickleness of the browsing public (how fast did chrome shoot up the charts ? Safari ?) adds a wrinkle too, but ... there's no way the large, entrenched players aren't sitting around thinking gee we have a nice thing going here... Not a conspiracy theory, just common sense... You're disregarding the dynamics at play here. The CA's don't set the requirements - the browsers do. Yes, the browsers take input from the CAs, but they also (and in particular, Mozilla) take input from their constituents. Whether you're a closed-source vendor listening to your customers or an open-source organization with a public process, there's still a great desire from the browser vendors to engage the community. Nor is it in the browser vendors' interests to ignore their users or their users' security. I don't think any browser wants to be known as the *less* secure browser -
Re: [cryptography] How much does it cost to start a root CA ?
On 2013-01-05 9:31 AM, Ryan Sleevi wrote: On Fri, January 4, 2013 3:06 pm, James A. Donald wrote: On 2013-01-05 8:05 AM, Ryan Sleevi wrote Can you explain how, exactly, incumbents leverage any power to keep new entrants out? Such behavior is necessarily a deviation from official truth, from the way certification is supposed to work, thus the only way to observe such behavior would be if emails leaked, as in the climategate files where we saw how peer review actually worked.. Analogously, regulators, financial audits and ratings agencies were supposed to ensure that banks only invested in safe stuff. When the proverbial hit the fan, it became apparent that regulators, financial audits and ratings agencies in practice ensured that banks only invested in politically correct stuff, but no one can explain how, exactly, this happened - well it is pretty obvious how it happened, and one can make a pretty good guess how it happened, but there is no direct official evidence as to how it happened. While I appreciate a good bit of paranoia and tin-foil hat wagging as much as the next person, I think your analogy breaks down pretty critically. In the case you referenced, it was the role of auditors and regulators to keep people out / keep people honest, and they failed, and so more people / dishonest people got in. Regulators such as Jon Corzine? They did not fail. In the US most of the money that was pissed away in the great financial crisis was not pissed away on financial engineering, splitting derivatives, and enriching bankers, but on rewarding targeted voting blocks and specific get-out-the-vote organizations - from which may infer what went on behind the scenes, plus some small amount of what went on behind the scenes has been revealed, leading to the suspicion that behind the scenes, it was all like that. However, the speculation about CA collusion requires the CAs to be working hard to keep new entrants out - the exact *opposite* behaviour. Long established bankers, such as Angelo Mozillo, heading long established banks, made dud loans and bribed government employees to take the loans off his hands at face value, Who were these new entrants of which you speak? Jon Corzine? Similarly, long established CAs, such as verisign, presumably bribe existing browser teams. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On 2013-01-05 12:07 PM, Morlock Elloi wrote: Correct. The cost of being CA is equal to the cost of getting CA signing pub key into the target audience browsers. You can (sorted by increasing security, starting with zero): 1 - go through browser vendors, 2 - have your users to install additional CA key into their existing browsers (and perhaps remove others), or 3 - distribute your own browser package. Pick one. Most of the browsers are open source. A fork could be justified by adding privacy value or security value, as, for example, SRWare Iron or the Tor browser. This also applies pressure on the major browsers to refrain from too flagrantly violating their customer's privacy. Perhaps we need a browser that facilitates communication and interaction between the holder of one bitcoin key and the holder of another. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On Fri, 4 Jan 2013, yersinia wrote: Finally, it seems to me that since there re so few root CAs (~30 ?) and the service provided is such an arbitrary, misunderstood one, that existing CAs would be actively trying to prevent new entrants ... and establish themsevles as toll collectors with a pseudo monopoly ... what evidence (if any) do we have that they are pursuing such an ecosystem ? Many today say that there are too many root CA, not a few. Is not it? https://www.eff.org/observatory. Maybe. That's outside the scope of the questions I asked, though - I'm just interested in how difficult it is currently to start one, and what barriers the incumbents are putting into place... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On Fri, 4 Jan 2013, Greg Rose wrote: You could ask the folks at CAcert... I imagine Ian Grigg will also chime in. Certification costs a lot, and as you have observed, the incumbents try very hard to keep you out. Despite some reasonable sources of funding, CAcert still didn't succeed. Well, I actually have not observed that, I just *assumed* it to be the case based on my general understanding of markets, etc. So it appears that was a good assumption. I would indeed like to hear about how the incumbents protect this turf and to what degree they are doing so ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On Fri, January 4, 2013 12:59 pm, Greg Rose wrote: You could ask the folks at CAcert... I imagine Ian Grigg will also chime in. Certification costs a lot, and as you have observed, the incumbents try very hard to keep you out. Despite some reasonable sources of funding, CAcert still didn't succeed. Greg. Can you explain how, exactly, incumbents leverage any power to keep new entrants out? The policies are set by the browsers/root store operators - not CAs. Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx Apple - http://www.apple.com/certificateauthority/ca_program.html Mozilla - http://www.mozilla.org/projects/security/certs/policy/ Opera - http://www.opera.com/docs/ca/ Consistent among them is that they require a WebTrust or ETSI audit - audits which were designed to reflect the collective shared policies of the browsers. Not collective action by CAs. More recently, the browsers have begun to increase the minimum requirements they expect of their root store participants, in light of several prominent failures. These are memorialized in the CA/Browser Forum's Baseline Requirements ( https://www.cabforum.org/Baseline_Requirements_V1_1.pdf ), which were driven by browsers seeking to find a consistent, common agreement about the requirements of their members. CACert's failures have nothing to do with the actions of any incumbent CA, but through an inability so far to meet the requirements set forth by the browser programs they were seeking to be included in. Even Ian has attested that Mozilla's policy is both clear and fair in this regard. Additionally, there are not, as the original poster suggested, only 30 root CAs. This can be trivially discovered by examining the lists of CAs included in these programs - which are all public. Mozilla - http://www.mozilla.org/projects/security/certs/included/ Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx Apple - http://opensource.apple.com/source/security_certificates/security_certificates-55024.2/ (OS X 10.8.2) Opera - http://my.opera.com/rootstore/blog/ A lot of speculation on this thread, but the answers are readily and trivially available. Cheers, Ryan On 2013 Jan 4, at 11:41 , John Case wrote: Let's assume hardware is zero ... it's a really variable cost, so I assume (correct me if I'm wrong) that it is a trivial cost compared to legal and audit costs, etc. So what does it cost to start a root CA, get properly audited (as I see the root CAs are) and get yourself included into, say, firefox or chrome ? A followup question would be: Is inclusion of a root CA in the major browsers a shall issue process ? hat is, you meet the criteria and you get in ? Or is it a subjective, political process ? Finally, it seems to me that since there re so few root CAs (~30 ?) and the service provided is such an arbitrary, misunderstood one, that existing CAs would be actively trying to prevent new entrants ... and establish themsevles as toll collectors with a pseudo monopoly ... what evidence (if any) do we have that they are pursuing such an ecosystem ? Thank you. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
On Fri, January 4, 2013 3:06 pm, James A. Donald wrote: On 2013-01-05 8:05 AM, Ryan Sleevi wrote Can you explain how, exactly, incumbents leverage any power to keep new entrants out? Such behavior is necessarily a deviation from official truth, from the way certification is supposed to work, thus the only way to observe such behavior would be if emails leaked, as in the climategate files where we saw how peer review actually worked.. Analogously, regulators, financial audits and ratings agencies were supposed to ensure that banks only invested in safe stuff. When the proverbial hit the fan, it became apparent that regulators, financial audits and ratings agencies in practice ensured that banks only invested in politically correct stuff, but no one can explain how, exactly, this happened - well it is pretty obvious how it happened, and one can make a pretty good guess how it happened, but there is no direct official evidence as to how it happened. While I appreciate a good bit of paranoia and tin-foil hat wagging as much as the next person, I think your analogy breaks down pretty critically. In the case you referenced, it was the role of auditors and regulators to keep people out / keep people honest, and they failed, and so more people / dishonest people got in. However, the speculation about CA collusion requires the CAs to be working hard to keep new entrants out - the exact *opposite* behaviour. Such a conspiracy requires auditors colluding to keep new entrants out. To be quite frank, I would be surprised if anyone on this list, concerned about security, would be saddened or upset if they heard horror stories of WebTrust auditors finding actionable concerns that kept new entrants out - such as failures to adhere to their policies or unaddressed security concerns. At best, it means the market is incentivizing auditors to closely examine new entrants for best practices. Is that a bad thing and does it really demonstrate a vast CA conspiracy? Has there ever been a new CA, attempting to get audited, who has said with a straight face that the audits are unreasonably thorough? Shouldn't that be the bare minimum for having the ability to affect trust globally? So at best, we have FUD and unsubstantiated speculation about auditors being too strict - at the same time that the browsers are working to make the requirements more strict. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] How much does it cost to start a root CA ?
John Case c...@sdf.org writes: So what does it cost to start a root CA, get properly audited (as I see the root CAs are) and get yourself included into, say, firefox or chrome ? The rule of thumb I've seen from various inside sources is about $1M [0]. Obviously this can vary quite a lot based on whether you're starting from scratch or already have secure facilities, vetted staff, etc, so it can go much higher, but is unlikely to be lower. Is inclusion of a root CA in the major browsers a shall issue process ? hat is, you meet the criteria and you get in ? Or is it a subjective, political process ? There's no bias that I've heard of, you check all the boxes to to confirm that you've done what the browser vendors require, produce the auditor's OK, and you're in. To put it more succinctly, to be a root CA you just need to buy your way in. I don't mean that in a cynical manner, it's just that that's what the bottom line is, you need to spend enough money to get in, but if you're prepared to do that then anyone can get it. Finally, it seems to me that since there re so few root CAs (~30 ?) and the service provided is such an arbitrary, misunderstood one, that existing CAs would be actively trying to prevent new entrants ... The extreme cost is enough of a barrier to getting in that it deters most new entrants. If you look at the root CAs that aren't mass-market ones (the GoDaddy's and so on), they're all boutique CAs with captive markets or national-prestige ones where cost isn't an object, so the overhead is enough of a barrier to keep the riff-raff out. Peter. [0] In order to address an issue that's also come up with FIPS 140 where I've said that the cost for a level 1 is $100K and people have claimed it's much cheaper: If you claim you can get a root cert into all the major browsers for a lot less than $1M then I'll connect you with people who will want to get in at the price you quote, so you'll need to be prepared to put your money where you mouth is. For FIPS 140 I've had an open offer on my home page for several years now to pay, in cash, the price that some people have quoted they can get it done for ($30K). So far zero have taken me up on the offer. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography