Indeed I do. We run a SaaS in a regulated industry, mainly in Germany. To receive and transmit certain payloads we need to use dedicated TLS certificates from a government run PK infrastructure (Search for "Smart-Meter PKI" if you are curious).
We want to become a sub-CA of this PKI and while we are aware of the policies of this specific PKI, we think that from an engineering or IT ops standpoint we can learn much more from web PKI CAs.
threesevenths · 10d ago
The difficult part of running a ca is convincing others you’re trustworthy. You need to have your business processes audited but an independent third party and then wait for your root to be adopted and deployed in browsers.
The value in exiting providers is their reach; versign for example is deployed in practically every trusted root bundle. When GoDaddy wanted to enter the market, they bought Starfield who already had a root which was widely trusted and crossed that with their own.
The reason people will pay for you to compute a number based on a number they give you and your super secret number is that people trust what you’re doing with your super secret number. And that trust takes time.
viraptor · 10d ago
And when you want to run a public one, you should learn at least everything that cacert did. They tried hard and still never got included. https://www.cacert.org/ That effort seems to be dying and it's been years since anyone asked me to authenticate them.
In the beginning they partnered with an existing CA so that they could issue certificates that where chained to roots already trusted by the major browsers.
“Getting a new root trusted and propagated broadly can take 3-6 years. In order to start issuing widely trusted certificates as soon as possible, we partnered with another CA, IdenTrust, which has a number of existing trusted roots. As part of that partnership, an IdenTrust root ‘vouches for’ the certificates that we issue, thus making our certificates trusted.”
This makes me curious: Do you have a specific goal in mind?
https://github.com/mozilla/pkipolicy
https://www.ccadb.org/
https://cabforum.org/
We want to become a sub-CA of this PKI and while we are aware of the policies of this specific PKI, we think that from an engineering or IT ops standpoint we can learn much more from web PKI CAs.
The value in exiting providers is their reach; versign for example is deployed in practically every trusted root bundle. When GoDaddy wanted to enter the market, they bought Starfield who already had a root which was widely trusted and crossed that with their own.
The reason people will pay for you to compute a number based on a number they give you and your super secret number is that people trust what you’re doing with your super secret number. And that trust takes time.
Some history here. http://wiki.cacert.org/InclusionStatus And that's before root stores had to deal with Honest Achmed's Used Cars and Certificates.
“Getting a new root trusted and propagated broadly can take 3-6 years. In order to start issuing widely trusted certificates as soon as possible, we partnered with another CA, IdenTrust, which has a number of existing trusted roots. As part of that partnership, an IdenTrust root ‘vouches for’ the certificates that we issue, thus making our certificates trusted.”
https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted/
https://letsencrypt.org/2016/08/05/le-root-to-be-trusted-by-...
https://letsencrypt.org/2023/07/10/cross-sign-expiration/