Ask HN: Looking for someone to help create a trusted CA
Hello,
This may be a long shot. but no harm in asking right?
Does anyone have any experience in create a trusted certificate authority. Creating all the need Infrastructure, guidelines and submissions to get the root certificate included in all major browsers, OSs, devices etc..
And would they be interested in a new project.
If so please message me. Shitpost: https://bugzilla.mozilla.org/show_bug.cgi?id=647959 Running a CA is not easy, and getting your root certificates included in trusted roots is even harder. For the technical aspects of it, you will need an HSM for the root certificates generated, OCSP servers, a CRL mechanism, and the signing server. Many enterprises already run their own private CA, and there are plenty of free and open source software. The difficult part is convincing root CA programs. Mozilla, Google, and Apple would be the start, but I suppose Curl/Java/Debian (which sync with Mozilla) will take some time to catch-up too. You need to be audited (by firms like KPMG and they don't come cheap), and they expect a certain level of transparency. Why would you want to become a CA in the first place? Amazon and cpanel are root CAs that issue certificate for free. LetsEncrypt is free and issues certificates to everyone. I don't think there's any financial profit to be made anymore. > Shitpost: https://bugzilla.mozilla.org/show_bug.cgi?id=647959 > The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money. Well, they're more honest than any current certificate authority. > LetsEncrypt is free and issues certificates to everyone When using free providers, you will notice that the issued to -> organization field will be empty. Free providers do not compete with company validating trust authorities. They are just developer tools. What nonsense. Extended validation schemes are snake oil peddled by CAs to make more money. It is all nonsense until money is involved and customers want to know that the advertised website actually belongs to your legal entity. Does not help in any real way. See https://arstechnica.com/information-technology/2017/12/nope-... for an example. There's a huge difference between "it isn't impossible to bypass" and "does not help in any real way". The only reason to get EV certs is the supposedly "safe" green organization field. As demonstrated it can be circumvented by anyone with minimal monetary motivation. Why even bother in that case? I rate that as "does not help in any real way". > As demonstrated it can be circumvented by anyone with minimal monetary motivation. Why even bother in that case? Same goes for the lock on your door. Why do you bother? Just take it off. I never said that. The alternative isn't no lock of course. It's the free lock that's equally safe to the one with the green "this is safe" sticker that you pay a premium for. You do realize the "lock" in this analogy that you claimed "does not help in any real way" is the EV, not the encryption? I'm not going to continue this argument as it seems pointless. There's a reason Chrome and others moved away from prominently showing EV properties: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/s... There most certainly was a reason, just not your reason (circumvention). Read the page you linked to. It literally says "users did not notice it", "users do not notice their absence", "users do not react as intended to positive or neutral security UI". It was user-focused. Not attacker-focused. But I do agree it's pointless to keep continuing this. I pointed out that letsencrypt does not compete in the same space with some providers and I get responses from internet freedom activists who don't want to acknowledge the fact. If shit is broken and doesn't work, you don't use it to make a point, you go fix it. > They are just developer tools A CA is a CA. A developer tool would be you signing certificates with your own private CA. LetsEncrypt is often better as they support must-staple, CT timestamps in certificates themselves, and ECDSA leaf certificates support. The snakeoil pitch would have worked 3-4 years back when browsers shows a big yellow label in address bar, but as of now, they all look the same regardless if its a DV, OV, or EV certificate unless you click your way through the certificate information. You might notice that, but very few other people do. No one, other than us, cares about that. Two things: 1) You have no contact info in your profile. 2) As throwaway pointed out, this is an expensive task to undertake and, at least based on your post, it's not clear what you hope to gain from building another CA that's sufficiently trustworthy to be accepted into the Web PKI root stores. Beyond free certs (Let's Encrypt), your needs might also be satisfied by something like Digicert's Dedicated Intermediate program [1] where they will build and manage a "sub-CA" (subordinate CA) for you that chains up to their widely trusted roots. This allows you to control certificates issued under that sub-CA (as long your requests also fall within the baseline requirements) but saves you from the management and compliance overhead of a truly new CA. Thanks for the DigiCert link. Are there other CAs that offer the same service that you know of? As DigiCert is very very very expensive as they target the top end enterprise. You haven't told us why you want to be a CA? What is it that you want to do, that you think you can do as a CA, but not as a customer/reseller of a CA? In my experience as a CA customer, DigiCert is certainly expensive, but with that expense comes quite a bit of flexibility. Flexibility that might be able to meet your needs. Anyway, I would be amazed if the sub CA from Digicert program is more expensive than running a full blown CA, including the time and effort to get the CA into trust stores. Plus, you're going to need to get a CA to sign your root / your intermediates while you wait for all the trust stores your customers care about to get updated; and by get updated, I really mean for your customers' customers to throw away their old devices. Your average Android device gets zero software updates, and lasts up to 7 years in your customers' customers hands, and who knows how many years behind upstream the manufacturer was when they built the thing. Considering all of the, uh, interesting goings-on that have happened in the CA world over the past few years, the first thing you need is trust and transparency. Buckets of it. Preferably your own personal waterfall. I get the impression you may not be aware of the fairly unbounded levels of paranoia and suspicion that make up the bulk of public (personal and corporate) opinion about CA trustworthiness. You very obviously have a motivation and agenda to post here, and for the sake of simplicity I trust that this is benign. But not actually documenting that rationale, let alone adding some reassuring arguments, kind of comes across to me as Step #1 in How To Successfully Not Succeed At Being A CA. The technology side is super easy if you know what you are doing. Getting your cert into the browsers is the problem. It's a political / sales & marketing type of problem. Why should they? You need a pretty convincing answer. Because it's pretty hard to motivate Google or Microsoft with the offer of a cash payment.
It depends on what you mean but getting a cert into OSs / devices should be a lot easier. > The technology side is super easy if you know what you are doing. There are some nontrivial technical aspects which will be required if you want any certificate stores (browsers, operating systems, etc) to take you seriously. Running `openssl ca` a few times won't cut it. You'll need a honest-to-god HSM to store your root keys in, a witnessed procedure for generating those keys, and some ironclad policies on access to those keys. This isn't something you can half-ass and fix later; if there's any doubt about who might have access to the root keys, the CA will never be trusted. I'd be more optimistic if you had included a note that you know the history of CAcert (https://en.wikipedia.org/wiki/CAcert.org) and have a plan on how to tackle the issues that prevented its roots from getting into the common trust stores. It's something only a handful of people have done, and realistically you'll need a certain amount of business cred to be seen as a plausible CA. And it's hard to compete with Let's Encrypt .. I'm no expert on creating a CA. The changelog recently has an episode on Let's Encrypt. It covered a lot about how Let's Encrypt got started. Quiet an amazing job, I think you should listen to it or at least read the transcript. What's your plan? Creating something in the style of Let's Encrypt (all free, all open source) or in the style of Comodo/Verisign/etc. (Paid, closed source)? You might start using software like PrimeKey Ejbca (Enterprise Edition), Microsoft Server 2019 with Certification Authority or some wrappers around openssl that are available online. Wait - you're asking random strangers to help you create one of the cornerstones of trust on the internet? Other commenters have already covered the political/financial difficulties of this, so I won't mention those. However, the journey of CertSimple may be marginally relevant to what you're proposing. They were a small CA focusing entirely on the easy issuance of Extended Validation certs. Disregarding the fact that EV never actually had any proven value (except for some code signing use cases), they did have a nice little business. As far as I know it was a one-person company at first, and they were able to piggyback off the infrastructure of an existing CA. I can't remember whether it was an intermediate cert or simply reselling. I was going to link to them but they seem to have shut down or been absorbed into another company. Yup, absorbed into https://expeditedsecurity.com/certsimple/ Start by being a reseller. https://www.namecheap.com/resellers/ssl-certificates/how-it-... Not exactly what I asked or what is wanted sorry. Plus namecheap are terrible as a reseller Being a reseller puts you in the path to being a trusted CA. You'll probably want to read the Mozilla Root Store Policy [0], if you haven't already. Oh, and be prepared to spend tens or hundreds of thousands of dollars over the next few years while this process plays out and your CA certificate actually gets added to the root store in the various browsers. --- [0]: https://www.mozilla.org/en-US/about/governance/policies/secu... Like everyone else is saying, this is something that will cost you millions of dollars in startup costs in order to compete with a product (Let's Encrypt) that's free of charge. Ignore anyone telling you that what you propose is technically difficult. It is not. The code for what you want to do has been baked into Windows Server since 2008. It also exists in OpenSSL. The CA part is easy. The “getting the world to trust your CA” is the part most would call “difficult”. If you can do the latter, ALOT of people here can do the former, and you will likely succeed. If you cannot do the latter, you will likely fail in the effort. The CA part is incredibly easy if you don’t need to consider security. The difficulty then ramps up the more secure you want (or need) it to be. You'll want to study the Baseline Requirements and join the various forums such as MozDevSecurityPolicy (MDSP). Do you have a business plan for this month, year, next year, 2 years out? Are you ready to not sleep and hate yourself for an undetermined time as you get this thing bootstrapped? I'm not a pro, but I researched this topic a while ago. Would love to help as best as I can. Email is in my HN profile.