Ask HN: How to start a CA?

7 points by pritambaral ↗ HN
What would it take to run a CA business/service? I know the technical details, but I think it would be hard to convince major client vendors to trust a new CA. Even if the new CA gets Chrome and Firefox's trust, there are slower updating clients out there, who may not trust this CA just because Google and Mozilla did. There could also be more requirements, obligations, expectations than just gaining clients' trust.

Ref: source of thought https://news.ycombinator.com/item?id=7557823

6 comments

[ 2.9 ms ] story [ 29.5 ms ] thread
Read the link, agreed it is a great idea.

The problems are not technical, but that of trust. How do you get a reliable mechanism for trust that resists social engineering?

Maybe the Hacker News community could be a starting point? Some combination of karma, longevity, vouching via LinkedIn, etc? Problem is that almost everything that I think of can be gamed. Maybe some other readers have a more comprehensive grasp of how to go about making such a CA solid and reliable.

Agreed that trust is the biggest problem. Specifically, how do you convince major browser vendors they should ship with the root cert for your CA. If that doesn't happen, it drastically limits the practicality.
pharaohgeek's response is an eyeopener.

You could provide an easy to use guide for people to install your root certificate into their browser. Then it becomes a matter of making sure that your CA issued certificates are not abused. I think that is a huge risk if you can't make sure that spammers, etc can't get hold of your certificates.

Running a commercial CA is not for amateurs or those with a weak stomach. It's a LOT of work, and costs a LOT of money. The operational security requirements are VERY high in order gain the trust of your customers. The physical security alone is prohibitively expensive for most companies. Man traps, secure server rooms (REALLY secure), biometrics, etc. Additionally, there are the technical security requirements. Smartcards, hardware security modules (HSMs) for key storage, and so on.

In order to gain the trust of the browser manufacturers, your PKI has to be certified by a recognized standards body. This is not easy, and it is not cheap. Every aspect of your operation and infrastructure needs to be documented, and you have to stick to it. No relaxing on the rules.

Practically speaking, you're talking about an expense on the order of a 7-figure expense to get things up and running, with additional costs for certification, etc.

SOURCE: I've worked on the largest PKI in the world (Fed. Gov't) as well as the largest commercial CAs for the last 14 years.

Thanks for the terrific insight. Had no idea that it was like running Fort Knox. With that sort of investment, no wonder the pressure to amortise capital costs pushes the prices up.
Well, you also have to remember that the marginal costs of issuing a cert are next to nothing. Once you've spent your money getting everything built out and certified, issuing a single certificate is almost pure profit! That's especially true for run-of-the-mill SSL certificates. Obviously, if you're an enterprise and you want a full, hosted PKI solution there are additional costs and work involved. But, for the commercial certs you buy one at a time from Verisign, et al, the marginal cost is very low.