It doesn't take that long for a CAs to do vetting checks for OV and EV certificates when everything is handed to them on a plate. Breaking CAs vetting procedures is not too hard.
The key here is that security research shouldn't cost the researcher thousands to prove a valid point. They should be entitled to some type of compensation from the CA. It would be great if CAs ran a program that allowed security researchers to get compensated after the research instead of before. James On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 22/02/2018 22:17, James Burton wrote: > >> There needs to be a program that helps security researchers like myself >> get >> free or low cost certificates for research purposes. That EV research I >> did >> a while ago nearly set me back personally $4,297. >> >> James >> >> > I think there are three main cases and an additional concern: > > 1. Getting real certificates from a real CA referring to real domains. > Only secure option is to get the research sponsored by that CA, > perhaps in exchange for giving them a longer than standard heads up of > any results regarding their security. > > 2. Getting real certificates for a test/dummy domain. > Perhaps a weakening rule can be introduced in the BRs (subject o a lot > of discussions as this will be very controversial and potentially > dangerous), that certificates for the .invalid TLD can be issued under > special research terms. However I doubt the current BR maintainers or > the leaders of this Mozilla group will agree to that. > > 3. Getting invalid/test certificates for a real domain to test > procedures. > Perhaps some CAs can be talked into setting up a special "test only, > DO NOT TRUST" root CA running in parallel to their real trusted roots, > allowing cheap issuance for tests and experiments. Such a test root > would not be in the CCADB or any root program, nor be cross-signed by > any real roots. > Such a test hierarchy would also be useful for organizations setting > up and testing automated certificate management systems prior to using > those systems with real certificates. > > Additionally, for the manual step verified EV and OV certificates, > issuance involves real man-hours at the CA organization. So for such > higher grade certificates, getting them for free or on a 30 days-return > policy would not be a good thing to allow. Even for testing. > Especially since such research certificates are probably going to > trigger additional manual revocation procedures (= more man-hours to be > paid). > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
