{"id":316,"date":"2017-07-20T14:51:23","date_gmt":"2017-07-20T14:51:23","guid":{"rendered":"http:\/\/securitycurve.com\/?p=316"},"modified":"2017-07-20T14:51:23","modified_gmt":"2017-07-20T14:51:23","slug":"looking-at-you-ca-browser-forum-economics-of-cas-certificate-authorities-and-viability-of-public-pki","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=316","title":{"rendered":"Looking at you CA Browser Forum: Economics of CA’s (Certificate Authorities) and viability of Public PKI"},"content":{"rendered":"

Edit: Picture is not reflective of anything… I just thought it was funny.<\/em><\/p>\n

I came across an article<\/a> in my feedly (yes, I use feedly – mock all you want, but I like the interface) about Let’s Encrypt<\/a>. \u00a0If you haven’t heard about Let’s Encrypt, it’s a certificate authority – a free, automated one that gives X.509 certs for use to secure TLS sites. \u00a0SSL too I suppose, but let’s assume you’re not using that anymore because that would be foolhardy<\/a> nowadays<\/a>. \u00a0So you’re not doing that, right?<\/p>\n

Anyway the article, which in my opinion is astute and worth a read, cites issues around certificate issuance and points to potential issues associated with the public PKI we have today – or at least the de facto<\/em> implementation that exists right now. \u00a0But I think the problem is actually bigger than what the article lays out. \u00a0It’s not difficult to see why, but let’s break it down anyway.<\/p>\n

First, the growth of Let’s Encrypt<\/a>. \u00a0You might find it interesting to learn that Let’s Encrypt, \u00a0launched a little over a year ago, is now the biggest CA by volume. \u00a0It’s pretty spectacular actually. \u00a0Check out their growth trajectory since they launched about 18 months ago:<\/p>\n

\"\"<\/a><\/p>\n

If you’re surprised by this, you shouldn’t be. \u00a0Why not? \u00a0 I’ve written about this before, but it absolutely jives with the economics of how certificate authorities work. \u00a0Which leads us to the second point: the economics of PKI.<\/p>\n

Here’s the deal: these aren’t complicated. \u00a0And there’s a very precise place that market dynamics lead. \u00a0On the costs side, there’s what goes into setting up the CA: things like buying an HSM, securing equipment, building processes, writing a Certificate Policy, etc. \u00a0In terms of ongoing costs, there’s the maintenance costs associated with operating it such as hosting, customer service, revocation, bandwidth, etc. etc. \u00a0It also by the way includes the security controls and countermeasures that go into defending the environment, hardware, software, etc. \u00a0So the costs, in large part, correlate to the security services provided. \u00a0It’s not a direct one to one – it’s not necessarily that the more you spend, the more secure the process is (after all, there are certainly things like economies of scale and efficiency that can play a role here.) \u00a0However, it’s a loose barometer – \u00a0the more you spend, the more secure your CA tends to be.<\/p>\n

On the revenue side, certificates that you sell (or in this case give away for free) drive revenue – the exception being Let’s Encrypt and other CA’s that have figured out a way to provide the service for free (i.e. being offset by donations, consulting services, or something else). \u00a0Competition among CA’s is high and they differentiate almost entirely on price because people will buy whatever’s cheapest (since the underlying differences between them – such as the security that goes into providing the offering is invisible to the purchaser). \u00a0So how do certificate authorities (commercial ones anyway) increase revenue? \u00a0There’s pretty much only one way: cut costs. \u00a0What costs are they cutting? \u00a0As we discussed above, the things that (on the whole) provide security to the system: things like controls & countermeasures, administrative costs associated with keeping the environment secured, revocation infrastructure, etc. \u00a0So long as CA’s meet the minimum floor provided by the browser folks (i.e. the minimum requirements list required for them to operate) and pay the browser folks the money to be included in their trust store, purchasers do not care.<\/p>\n

The upshot of this is that the security of the model will degrade over time as CA’s carve off more and more to drive up revenue (continuing that they meet of course, the absolute minimum requirements to stay accepted by the browser community.) \u00a0It’s written in the stars<\/del> market dynamics that this will occur and we’ve seen it borne out over the years. \u00a0So how does a free certificate play in that world? \u00a0A few ways. \u00a0In the short term, it causes downward price pressure on the CA’s that are already playing close to the wire. This, in turn, leads to reductions in their ongoing operational costs. \u00a0Which, probably isn’t great (again, short term.) \u00a0Second,\u00a0maybe it causes “shedding” of commercial CA’s from the business – they literally can’t compete with free, so the old guard exits or gets clobbered.<\/p>\n

It also could be good long term. \u00a0Maybe it encourages sites that would not otherwise be able to afford using TLS to do so. \u00a0That’s worthwhile – provided a few things happen. \u00a0Specifically, the minimum standards need to be real – they need to have teeth, not suck, and be reflective of what security the process actually needs. \u00a0Let’s put it another way, the danger is that the certificates economic forces are driving down what CA’s can offer down to the minimum floor of what’s acceptable. \u00a0That really, really isn’t good unless that floor is legit. \u00a0Who sets this? \u00a0Well, technically each browser, OS, application, or other vendor can set their own – but in practice everybody pretty much toes the line of the Baseline Requirements<\/a> set by the CA Browser Forum<\/a>. \u00a0 You can see a handy list of the specifics for inclusion of the most relevant OS\/Browser folks on a page they maintain here:\u00a0https:\/\/cabforum.org\/browser-os-info\/<\/a>. \u00a0 It’s a community effort, consisting of most of the major CA’s out there and a number of the relevant members. \u00a0So, community consensus drives it. \u00a0That’s OK as far as that goes, but it bears saying that there’s a potential conflict of interest that the community needs to be careful about.<\/p>\n

So, bottom line: we’re looking to you CA Browser Forum, to keep the baseline requirements reasonable. \u00a0Seriously.<\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Edit: Picture is not reflective of anything… I just thought it was funny. I came across an article in my feedly (yes, I use feedly – mock all you want, but I like the interface) about Let’s Encrypt. \u00a0If you haven’t heard about Let’s Encrypt, it’s a certificate authority – a free, automated one that […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[45,91],"class_list":["post-316","post","type-post","status-publish","format-standard","hentry","category-security","tag-economics","tag-pki"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=316"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}