Ask HN: How to start a CA?
What would it take to run a CA business/service? I know the technical details, but I think it would be hard to convince major client vendors to trust a new CA. Even if the new CA gets Chrome and Firefox's trust, there are slower updating clients out there, who may not trust this CA just because Google and Mozilla did. There could also be more requirements, obligations, expectations than just gaining clients' trust.
Ref: source of thought https://news.ycombinator.com/item?id=7557823
6 comments
[ 2.9 ms ] story [ 29.5 ms ] threadThe problems are not technical, but that of trust. How do you get a reliable mechanism for trust that resists social engineering?
Maybe the Hacker News community could be a starting point? Some combination of karma, longevity, vouching via LinkedIn, etc? Problem is that almost everything that I think of can be gamed. Maybe some other readers have a more comprehensive grasp of how to go about making such a CA solid and reliable.
You could provide an easy to use guide for people to install your root certificate into their browser. Then it becomes a matter of making sure that your CA issued certificates are not abused. I think that is a huge risk if you can't make sure that spammers, etc can't get hold of your certificates.
In order to gain the trust of the browser manufacturers, your PKI has to be certified by a recognized standards body. This is not easy, and it is not cheap. Every aspect of your operation and infrastructure needs to be documented, and you have to stick to it. No relaxing on the rules.
Practically speaking, you're talking about an expense on the order of a 7-figure expense to get things up and running, with additional costs for certification, etc.
SOURCE: I've worked on the largest PKI in the world (Fed. Gov't) as well as the largest commercial CAs for the last 14 years.