An SSL Certificate Cooperative?

Posted: Thu, 5 June 2014 | permalink | 3 Comments

I’ve been pondering co-ops, and their value in the world, lately. The thought has come to mind that a co-op which ran a Certificate Authority seems like an absolute no-brainer – the members each contribute to the operational costs (servers, software, and the eye-watering auditing expenses) and in return get to issue all the domain-verified certificates they like (and pay reasonable rates for organization-verified certificates, and perhaps even EV certs).

I know there are some superficially similar examples of this idea out there already. StartSSL captured my heart with their policy of “only charging for what costs money” (so you can get free DV certificates for personal use), but they made me sad when they charged for revocations (yes, I know revocations cost money to serve the CRL, but OCSP ain’t free either…). CACert tickle my Free Software Fan-bone, being all about the freedom and community involvement, but lose some practicality points on the fact that they’ve been trying to get their root certs into the browsers for a long time and haven’t really gotten anywhere.

So, assuming that DNSSEC (and hence DANE) doesn’t become universally available any time soon, leaving the CA business model dead, buried, and worm-eaten, is the idea of a cooperative certificate authority of interest to anyone? Surely anyone who wished to have more control over their SSL certificates than you get with a reseller relationship, but couldn’t justify becoming a root certificate holder themselves, would see the value of something of this nature?


From: Josh Triplett
2014-06-06 07:07

I’d be extremely interested in this, especially if it provided low-cost (or no-cost in the case of non-profit/FOSS uses) certificates that support EV and/or wildcard.

From: Thijs
2014-06-05 23:02

European NRENs have considered to start their own CA for these reasons and try to get that into the browser’s trust store. After evaluation of all the options, it turned out to become a reseller of an existing CA.

The NRENs handle all the vetting and therefore have large control over the processes, of course after approval of those procedures by the CA, and the costs are shared on a flat-fee basis, so no charges per certificate or other action. This cooperation has worked very successfully for a number of years now. See for more info.

From: Matt Palmer
2014-06-06 10:42

Josh: The co-op itself would issue certificates to/for members. What members do with those certificates after that is entirely their business. I’d expect membership costs might be a little high for each F/OSS project to sign up individually. On the other hand, if some peak body like SPI wanted to become a member of the co-op and offer certificates to whoever qualified on whatever terms they felt was appropriate, that’s their call to make. The co-op’s duty would be to make sure the certificate was issued securely and in line with the collective wishes of the membership.

Thijs: Thanks for sharing that info. I was wondering whether it would be more effective to make an arrangement with an existing CA or go it alone – I’d expect that, at the very least, the co-op would need to be bootstrapped via an existing CA, because it looks like it takes a couple of years at least to get a new root CA near-universally trusted.

Post a comment

All comments are held for moderation; markdown formatting accepted.

This is a honeypot form. Do not use this form unless you want to get your IP address blacklisted. Use the second form below for comments.
Name: (required)
E-mail: (required, not published)
Website: (optional)
Name: (required)
E-mail: (required, not published)
Website: (optional)