Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
So how much money does it take to maintain a selfsigned CA ?
You don't need an organisation like Verisign to sign the CA.
Just a user interface issue?
Posted Feb 28, 2013 21:45 UTC (Thu) by dlang (✭ supporter ✭, #313)
you need to have processes in place to keep the bad guys out, this probably means that it takes more work to do the signing
you need redundancy
you need to spend time figuring out if you should sign things (unless you are a commercial CA, in which case you just need to see if the credit card accepts the charge)
That being said, the cost of running the CA itself is trivial compared to the cost of getting your cert accepted and in the various places it needs to be to do any good.
Posted Feb 28, 2013 22:33 UTC (Thu) by Lennie (subscriber, #49641)
Posted Feb 28, 2013 22:14 UTC (Thu) by mjg59 (subscriber, #23239)
Posted Feb 28, 2013 22:59 UTC (Thu) by Lennie (subscriber, #49641)
Doing a secure custom CA needs these things, I guess ?
- physical security
- key security
- redundancy of the physical security - and key security solution
If you get yourself some cheap netbooks with a builtin TPM and install Linux on it you can then store two copies of your keys in two seperate safes possibly in different buildings. Then you have 3 things solved.
An east european TLD does this for their DNSSEC keysigning keys if I remember correctly. The zone singing keys are on a machine behind a firewall which is used to push updates to the publicly visible servers.
In DNSSEC the zone signing keys are used to sign the DNS data and key signing keys are used to sign the zone signing keys every couple of months.
Posted Feb 28, 2013 23:36 UTC (Thu) by raven667 (subscriber, #5198)
Posted Feb 28, 2013 23:45 UTC (Thu) by Lennie (subscriber, #49641)
I know if that is what you want, you need a lot of stuff done because I've been following what CAcert is doing.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds