

Ask HN: How to start a CA? - pritambaral

What would it take to run a CA business&#x2F;service? I know the technical details, but I think it would be hard to convince major client vendors to trust a new CA. Even if the new CA gets Chrome and Firefox&#x27;s trust, there are slower updating clients out there, who may not trust this CA just because Google and Mozilla did. There could also be more requirements, obligations, expectations than just gaining clients&#x27; trust.<p>Ref: source of thought https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7557823
======
pharaohgeek
Running a commercial CA is not for amateurs or those with a weak stomach. It's
a LOT of work, and costs a LOT of money. The operational security requirements
are VERY high in order gain the trust of your customers. The physical security
alone is prohibitively expensive for most companies. Man traps, secure server
rooms (REALLY secure), biometrics, etc. Additionally, there are the technical
security requirements. Smartcards, hardware security modules (HSMs) for key
storage, and so on.

In order to gain the trust of the browser manufacturers, your PKI has to be
certified by a recognized standards body. This is not easy, and it is not
cheap. Every aspect of your operation and infrastructure needs to be
documented, and you have to stick to it. No relaxing on the rules.

Practically speaking, you're talking about an expense on the order of a
7-figure expense to get things up and running, with additional costs for
certification, etc.

SOURCE: I've worked on the largest PKI in the world (Fed. Gov't) as well as
the largest commercial CAs for the last 14 years.

~~~
CyberFonic
Thanks for the terrific insight. Had no idea that it was like running Fort
Knox. With that sort of investment, no wonder the pressure to amortise capital
costs pushes the prices up.

~~~
pharaohgeek
Well, you also have to remember that the marginal costs of issuing a cert are
next to nothing. Once you've spent your money getting everything built out and
certified, issuing a single certificate is almost pure profit! That's
especially true for run-of-the-mill SSL certificates. Obviously, if you're an
enterprise and you want a full, hosted PKI solution there are additional costs
and work involved. But, for the commercial certs you buy one at a time from
Verisign, et al, the marginal cost is very low.

------
CyberFonic
Read the link, agreed it is a great idea.

The problems are not technical, but that of trust. How do you get a reliable
mechanism for trust that resists social engineering?

Maybe the Hacker News community could be a starting point? Some combination of
karma, longevity, vouching via LinkedIn, etc? Problem is that almost
everything that I think of can be gamed. Maybe some other readers have a more
comprehensive grasp of how to go about making such a CA solid and reliable.

~~~
michaelmior
Agreed that trust is the biggest problem. Specifically, how do you convince
major browser vendors they should ship with the root cert for your CA. If that
doesn't happen, it drastically limits the practicality.

~~~
CyberFonic
pharaohgeek's response is an eyeopener.

You could provide an easy to use guide for people to install your root
certificate into their browser. Then it becomes a matter of making sure that
your CA issued certificates are not abused. I think that is a huge risk if you
can't make sure that spammers, etc can't get hold of your certificates.

