[SSL Observatory] The real cost of "free" certificates

Nasko Oskov nasko at netsekure.org
Wed Apr 20 09:36:07 PDT 2011 

On Wed, Apr 20, 2011 at 09:55:56PM +1200, Peter Gutmann wrote:
> 
> First, the time to provision a machine or device.  This varies wildly from
> minutes through to days, I'll take the representative figure from the PARC
> study reported in "In Search of Usable Security: Five Lessons from the Field"
> by Dirk Balfanz, Glenn Durfee, Rebecca Grinter and D.K. Smetters that highly
> experienced computer users took over two hours to provision their machine with
> a certificate.

You are saying that *provisioning* takes over two hours. My
interpretation of provisioning is "the process to go through to install
the certificate after it is issued". If we take this interpretation,
what is the difference in process for paid and free certs? Aren't they
they same after all, regardless of cost?

If on the other hand, you are factoring the time to figure out how to
get a certificate, then this is different and should be explicitly
called out. I don't see the process of getting a cert from VeriSign any
simpler from the process of StartCom. When it comes to self signed
certs, then I would agree that it will take the average techie long time
to figure it out, but that eliminates the 4.3 "other" certs from the
calculation below.
 
> The SSL Observatory found 7 million self-signed certs and 4.3 million "other"
> certs (?) (see
> http://www.ietf.org/mail-archive/web/keyassure/current/msg01810.html), for a
> total of 11.3 million certs that would benefit from a free CA.

Again, in order to combine these two together, you need to state clearly
what part of the process you are differentiating compared to the process
of paid certs.

> Comments/corrections welcome (although avoiding endless bikeshedding over the 
> figures would be appreciated, if there's a large-scale study that has more 
> representative figures I'd be interested in hearing about it).

I'd only suggest clearly defining what part of the process you are
including in the cost above and explain the difference in each class of
certs. Great topic and thinking!

--
Nasko Oskov
"A hacker does for love what others would not do for money."

More information about the Observatory mailing list