I’ve been pondering co-ops, and their value in the world, lately. The thought has come to mind that a co-op which ran a Certificate Authority seems like an absolute no-brainer – the members each contribute to the operational costs (servers, software, and the eye-watering auditing expenses) and in return get to issue all the domain-verified certificates they like (and pay reasonable rates for organization-verified certificates, and perhaps even EV certs).
I know there are some superficially similar examples of this idea out there already. StartSSL captured my heart with their policy of “only charging for what costs money” (so you can get free DV certificates for personal use), but they made me sad when they charged for revocations (yes, I know revocations cost money to serve the CRL, but OCSP ain’t free either…). CACert tickle my Free Software Fan-bone, being all about the freedom and community involvement, but lose some practicality points on the fact that they’ve been trying to get their root certs into the browsers for a long time and haven’t really gotten anywhere.
So, assuming that DNSSEC (and hence DANE) doesn’t become universally available any time soon, leaving the CA business model dead, buried, and worm-eaten, is the idea of a cooperative certificate authority of interest to anyone? Surely anyone who wished to have more control over their SSL certificates than you get with a reseller relationship, but couldn’t justify becoming a root certificate holder themselves, would see the value of something of this nature?