[SSL Observatory] The real cost of "free" certificates

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Apr 22 05:55:13 PDT 2011


Nasko Oskov <nasko at netsekure.org> writes:

>You are saying that *provisioning* takes over two hours. My interpretation of
>provisioning is "the process to go through to install the certificate after it
>is issued". 

I was defining it as going from "I need a certificate" to "my server is ready
to go with its new cert".

>If we take this interpretation, what is the difference in process for paid
>and free certs? 

Nothing, a free cert is just a paid cert without the "paid". 

>If on the other hand, you are factoring the time to figure out how to get a
>certificate, then this is different and should be explicitly called out. I
>don't see the process of getting a cert from VeriSign any simpler from the
>process of StartCom.

Exactly, and that's the point, that even if the cert is "free" there's still a
lot of (paid) labour involved.

>> The SSL Observatory found 7 million self-signed certs and 4.3 million "other"
>> certs (?) (see
>> http://www.ietf.org/mail-archive/web/keyassure/current/msg01810.html), for a
>> total of 11.3 million certs that would benefit from a free CA.
>
>Again, in order to combine these two together, you need to state clearly what
>part of the process you are differentiating compared to the process of paid
>certs.

I'm not sure exactly what "other" actually is (thus the '?'), I was assuming
it was certs issued by an internal CA (meaning, most likely, 'openssl ...').
So for self-signed I was assuming you got your cert as a side-effect of 'make
install', and for 'other' (internal CA) it wasn't much more than that.  If you
had to go through a complex formalised CA process then it could indeed become
as complex as dealing with a commercial CA.  So the assumption was that the
DIY certs required close to zero effort to set up... like everything else in
the process, it's an approximation :-).

Peter.



More information about the Observatory mailing list