IP: SSL Certificate "Monopoly" Bears Financial Fruit

Lucky Green shamrock at cypherpunks.to
Fri Jul 12 12:44:04 PDT 2002


Adam wrote:
> On Fri, Jul 12, 2002 at 11:18:12AM -0400, Trei, Peter wrote:
> A 'second hand' root key seems to have some 
> trust issues 
> | - the thing you are buying is the private half of a public key pair 
> | .... but that's just a piece of information. How can you be 
> sure that, 
> | as purchaser, you are the *only* possessor of the key, and 
> no one else 
> | has another copy (the seller, for example)?
> 
> Who cares?  If I can get a key thats in the main browsers for 
> 90% off, who cares if other people have it?
> 
> I understand that getting the public half of the 2 main 
> browsers will run you about $250k in fees, plus all the setup 
> work.  If I can buy a slightly used Ncipher box whose public 
> key bits are in the browsers for a 10th to a 5th of that, the 
> extra copies of the bits aren't all that worrisome to me.

Precisely. Nor would worrying make any difference, since all CAs
preinstalled into the browser are equal from a user perspective. The
security  your CA, or VeriSign's CA, or anybody's CA can afford their
customer is subject to an upper bound set by the preinstalled CA with
the laxest certificate issuance standards in existence.

In other words, anybody who selects a public CA on a factor other than
price likely fails to understand the trust models that underlie today's
use of Certificate Authorities.

However, $250k will not nearly get you into the major browsers. Getting
into Netscape is easy. You just hand them the cash and the floppy with
your public key. Getting into MSIE is a lot harder. MSFT has never
charged to include a CA's key in MSIE and MSFT does not intend on
charging in the future. But after the root CA bonanza for MSIE 5, MSFT
instituted policy changes.

To get your CA's key included in MSIE, the CA must have passed an SAS 70
audit. (The CA also must offer its certificates to the public).

The infrastructure, policy, staff, and auditing costs of passing such an
audit will run you upwards of $500k.

By the end of the day, getting a new root into the browsers will cost
you about, give or take a few hundred k, $1M.

Which makes the slightly used nCipher box an even better value. :-)

--Lucky Green





More information about the cypherpunks-legacy mailing list