[SSL Observatory] The real cost of "free" certificates
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Apr 20 08:51:10 PDT 2011
On 04/20/2011 05:55 AM, Peter Gutmann wrote:
> First, the time to provision a machine or device. This varies wildly from
> minutes through to days, I'll take the representative figure from the PARC
> study reported in "In Search of Usable Security: Five Lessons from the Field"
> by Dirk Balfanz, Glenn Durfee, Rebecca Grinter and D.K. Smetters that highly
> experienced computer users took over two hours to provision their machine with
> a certificate.
[...]
> The SSL Observatory found 7 million self-signed certs and 4.3 million "other"
> certs (?) (see
> http://www.ietf.org/mail-archive/web/keyassure/current/msg01810.html), for a
> total of 11.3 million certs that would benefit from a free CA.
Your comparison as stated suggests that using the "free certificates"
from a member of the CA cartel takes "over two hours", but it doesn't
say anything about how much time was spent setting up the 11.3 million
certificates you suggest would cost another two hours.
If the "other" certificates are ones that were issued by an org-internal
CA, then they could very well have taken "over two hours" already. So
the cost of the "free certificates" doesn't actually add anything. And
even self-signed certificates are potentially costly to deploy in terms
of time -- many tools come with no certificates configured at all, and
local administrators need to spend time and energy sorting out exactly
what kind of self-signed certificate to create (what extensions to
include, etc).
I'm not arguing that people should get their certs from the cartel; i
think there are many convincing security- and policy-related arguments
for why the CA cartel is a bad thing.
But i don't think the argument about short-term financial cost holds up
when compared to self-signed or "other" X.509 certificates, given the
time spent creating and managing those certificates.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110420/e6203f42/attachment.sig>
More information about the Observatory
mailing list