[Discuss] free certs everywhere

[tmetro+blu at gmail.com (Tom Metro)]

Edward Ned Harvey (blu) wrote:
> If that argument holds, then *no* certificate authority should be
> able to charge for issuing certs.

That's a good idea. No, seriously.

It doesn't appear that a central organization holds sway over CAs,
unlike they way ICANN rules over domain registries, but if there is such
an organization, they could have mandated that the requirements for
becoming a CA included that they offer free basic certs (but could
charge what they like for more advanced certs and add-ons). If all CAs
had to do this, the burden of providing basic certs would be spread
evenly across the industry (or at least proportional to their respective
marketing budgets).

Unlike domains, there is an unlimited supply of certs. No need to create
an artificial scarcity. As StartSSL proved, automation can vastly reduce
the cost of supplying such certs.

Probably a big reason this never happened is that when CAs were being
established, all that existed were basic certs. The extended validation
certs and other value added services were only thought up later. Once
the industry was established, hard to correct for that lost opportunity.

There is always the possibility that if free certs from "Let's Encrypt
CA"[1] become popular and widely accepted, commercial CAs will see a
significant loss in basic cert business, and choose to offer free certs
as a loss-leader to get customers in the fold.

1. http://www.mail-archive.com/discuss%40blu.org/msg09949.html


Gordon Marx wrote:
> Which is why the free cert, pay for revocation model makes so much
> sense -- signing a CSR takes a one-time hit of some tiny amount of CPU
> and bandwidth, whereas hosting an OCSP responder or equivalent takes a
> lot more money and effort. Cert revocation is hard, and when things
> are hard to do companies can often charge money to do them :--)

Sure, but that's an artifact of the revocation infrastructure being
poorly designed. Reality today, but it doesn't need to stay that way.

(OCSP is comparatively the "high tech" way to do it, but by default I
don't think any mainstream browser makes use of it (I have it enabled in
my browsers). Due to stubbornness or belief that OCSP fails to
adequately solve the problem (it does have issues), browsers stuck with
unscalable certificate revocation lists (CRLs). "Security Now" spent an
episode or two on current cert revocation tech and alternatives.)

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/