[SSL Observatory] The real cost of "free" certificates
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Apr 22 05:55:13 PDT 2011
Nasko Oskov <nasko at netsekure.org> writes:
>You are saying that *provisioning* takes over two hours. My interpretation of
>provisioning is "the process to go through to install the certificate after it
>is issued".
I was defining it as going from "I need a certificate" to "my server is ready
to go with its new cert".
>If we take this interpretation, what is the difference in process for paid
>and free certs?
Nothing, a free cert is just a paid cert without the "paid".
>If on the other hand, you are factoring the time to figure out how to get a
>certificate, then this is different and should be explicitly called out. I
>don't see the process of getting a cert from VeriSign any simpler from the
>process of StartCom.
Exactly, and that's the point, that even if the cert is "free" there's still a
lot of (paid) labour involved.
>> The SSL Observatory found 7 million self-signed certs and 4.3 million "other"
>> certs (?) (see
>> http://www.ietf.org/mail-archive/web/keyassure/current/msg01810.html), for a
>> total of 11.3 million certs that would benefit from a free CA.
>
>Again, in order to combine these two together, you need to state clearly what
>part of the process you are differentiating compared to the process of paid
>certs.
I'm not sure exactly what "other" actually is (thus the '?'), I was assuming
it was certs issued by an internal CA (meaning, most likely, 'openssl ...').
So for self-signed I was assuming you got your cert as a side-effect of 'make
install', and for 'other' (internal CA) it wasn't much more than that. If you
had to go through a complex formalised CA process then it could indeed become
as complex as dealing with a commercial CA. So the assumption was that the
DIY certs required close to zero effort to set up... like everything else in
the process, it's an approximation :-).
Peter.
More information about the Observatory
mailing list