Those are the minimum requirements you'll have to meet to get pretty much any browser vendor or OS developer to take you seriously and consider including your cert as trusted by default. Some have further requirements.
I'd also note that, in the wake of recent fiascos like Startcom/Wosign, Symantec, and Trustico, browser manufacturers are going to be extremely wary of new CAs -- and especially of ones operated by companies with no history in security.
Depends. Amazon CA and LE are new, there's another big one on the way. If your WebTrust audit passes and you can demonstrate you know what you're doing, I see no reason to. Cross signing for a new CA (so you work in old browsers) is about 2M on the open market.
There is no reason to believe he/she can't learn everything they need, build the contacts and raise the money. And also maybe the OP is asking to increase their knowledge without actually doing it, which is a fine thing to do, and is why people read sites like Wikipedia and HN.
This is a personal observation, but while I don't have any intention to become a root CA, knowing how to become one is still interesting, because it's neat to know things.
You need to have a large sum of money because you need to keep your infrastructure intact and maintainable, this is a must. If you cannot issue certs in time, you broke a promise. If you broke a promise, people distrust you.
Second, you have to hire a lot of security and network guy to ensure your operation is professionally carried out and will devote to do things seriously. They will make sure that no other people can steal the derivation of your identity. This is very essential because if any hackers intruded your system, they could steal the trust you built for a long time.
/u/wolrah's links[0] are a great place to start reading up on this. A root CA intending to distribute SSL certificates will have to adhere to all of the CA/Browser Forum requirements documents, plus the additional requirements imposed by each of the browsers for entry into their individual trust stores (the Apple/Google/Mozilla/Microsoft links included).
To do this, you'll need to stand up an offline root CA in a secure location, then create an issuing CA that will issue certificates. That whole thing must be created ab initio in compliance with the requirements and be operated in compliance at all times. To demonstrate that, you'll then need to pay an outside, accredited audit firm to come in and attest that you're following the rules. They issue an attestation letter stating that they reviewed your operations and your assertion that you're following the rules is valid for the period of time you state: basically, you operate the CA for a period of time, then they come in and review your evidence for that period of time that shows you're doing the right things. The smallest they'll usually feel comfortable doing that for is typically sixty days, although you can get what's called a Point In Time audit that says "they were doing the right thing at this specific moment". Those audits will cover both the WebTrust for Certificate Authorities[1] requirements and the WebTrust for Certificate Authorities — SSL Baseline with Network Security requirements[2]. They overlap, but they're two separate attestation letters with two separate seals, for which you'll pay somewhere in the neighborhood of $75k-$100k for a root CA and its issuing CA.
Once you have your audits in hand, you can apply to each of the trust stores for admission through the Common CA Database[3] that all of the trust stores are slowly gravitating towards. You'll have to supply all of your paperwork, the audit letter URLs, and all of the information about your CA for their deliberation.
The requirements (in particular the CA/Browser Forum reqs that are encompassed in the WebTrust with SSL Baseline) have some specifics around uptime, regular operations, separation of duties, and validation of security, so this is definitely a very full-time occupation: once it's going, you can't ever stop it or lose vigilance, or you risk losing your audit. Lose your audit, and you'll be pushed out of the browser stores.
11 comments
[ 4.3 ms ] story [ 41.1 ms ] threadThose are the minimum requirements you'll have to meet to get pretty much any browser vendor or OS developer to take you seriously and consider including your cert as trusted by default. Some have further requirements.
Apple: https://www.apple.com/certificateauthority/ca_program.html
Google: https://www.chromium.org/Home/chromium-security/root-ca-poli...
Microsoft: https://technet.microsoft.com/en-us/library/cc751157.aspx
Mozilla: https://www.mozilla.org/en-US/about/governance/policies/secu...
As noted Let's Encrypt is a fairly well documented example of how this plays out in the real world.
I would of course note though that this is one of those questions where if you have to ask you probably can't do it.
There is no reason to believe he/she can't learn everything they need, build the contacts and raise the money. And also maybe the OP is asking to increase their knowledge without actually doing it, which is a fine thing to do, and is why people read sites like Wikipedia and HN.
Second, you have to hire a lot of security and network guy to ensure your operation is professionally carried out and will devote to do things seriously. They will make sure that no other people can steal the derivation of your identity. This is very essential because if any hackers intruded your system, they could steal the trust you built for a long time.
To do this, you'll need to stand up an offline root CA in a secure location, then create an issuing CA that will issue certificates. That whole thing must be created ab initio in compliance with the requirements and be operated in compliance at all times. To demonstrate that, you'll then need to pay an outside, accredited audit firm to come in and attest that you're following the rules. They issue an attestation letter stating that they reviewed your operations and your assertion that you're following the rules is valid for the period of time you state: basically, you operate the CA for a period of time, then they come in and review your evidence for that period of time that shows you're doing the right things. The smallest they'll usually feel comfortable doing that for is typically sixty days, although you can get what's called a Point In Time audit that says "they were doing the right thing at this specific moment". Those audits will cover both the WebTrust for Certificate Authorities[1] requirements and the WebTrust for Certificate Authorities — SSL Baseline with Network Security requirements[2]. They overlap, but they're two separate attestation letters with two separate seals, for which you'll pay somewhere in the neighborhood of $75k-$100k for a root CA and its issuing CA.
Once you have your audits in hand, you can apply to each of the trust stores for admission through the Common CA Database[3] that all of the trust stores are slowly gravitating towards. You'll have to supply all of your paperwork, the audit letter URLs, and all of the information about your CA for their deliberation.
The requirements (in particular the CA/Browser Forum reqs that are encompassed in the WebTrust with SSL Baseline) have some specifics around uptime, regular operations, separation of duties, and validation of security, so this is definitely a very full-time occupation: once it's going, you can't ever stop it or lose vigilance, or you risk losing your audit. Lose your audit, and you'll be pushed out of the browser stores.
[0] https://news.ycombinator.com/item?id=17390183 [1] http://www.webtrust.org/principles-and-criteria/docs/item852... [2] http://www.webtrust.org/principles-and-criteria/docs/item854... [3] https://ccadb.org