The SSL Co-operative: A Member-Controlled Certification Authority

I&#x27;ll say the same thing here that I said in a response to the survey: I&#x27;d be interested in taking part in a CA co-op that seeks membership&#x2F;sponsorship to cover its infrastructure costs (including the huge initial cost of becoming an accepted CA), but that does not charge to issue certificates, including wildcard certificates.<p>Certificates cost approximately nothing to issue, and most of the CA&#x27;s infrastructure would not need significant scaling with the issuance of more certificates.<p>Manual validation of human&#x2F;organization identities (the type that requires reading identity documents, such as for EV) costs money, and that could have associated fees, but it doesn&#x27;t need to occur on a per-certificate basis. And automatable validation costs nothing.<p>In particular, wildcard certificates don&#x27;t need to cost any more than standard certificates, and no-cost wildcard certificates would change the SSL landscape significantly. Today, any service that uses subdomains incurs significant fees to secure those subdomains.

There&#x27;s an assumption in this that domain validated certificates can be wholly automated. But, in the same way that spammers seek out open SMTP relays, phishers seek out weak SSL validation systems for use in setting up phishing sites.<p>CA&#x27;s currently maintain internal keyword warning systems that flag domain validated requests for manual intervention. Anything that even hints that it is involved with a major company, church, charity, bank or financial institution gets flagged and approved manually.

I will gladly run a member organization to lower the barrier of entry to end-users and non-businesses. No one should have to sacrifice security because they don&#x27;t want to fork over that kind of cash.<p>I run a forum I want Wildcard SSL on but I don&#x27;t want to buy one since I currently spend no more than $30&#x2F;year to host it. The Wildcard SSL Cert alone would cost double that at some of the cheapest places.<p>If I can fix my problem and others, count me in.

<a href="http://www.cacert.org/" rel="nofollow">http:&#x2F;&#x2F;www.cacert.org&#x2F;</a> is a similar-ish effort that&#x27;s been ongoing for quite a long time.

A couple of questions:<p>- Where do you plan to place the infrastructure of the cooperative?<p>- What is your expected timeline to issue Browser accepted certificates?<p>- Are you planning to provide an API for signing CSRs?<p>I am currently working on a solution for self hosted messaging and file synchronization, and your project would complement our efforts to give people the possibility to self-host securely.

What would make sense to me more than an SSL co-op would actually be a registrar that gives you a free wildcard certificate for every domain you register. You almost always need a certificate for every domain you use, so why not bundle the two? I wonder if doing a crowdsourced bootstrap of such a registrar would work.

I&#x27;m mainly favor in this because I could trust the cooperative more than I trust the existing CAs. As long as it doesn&#x27;t cost me <i>more</i> than the existing cheapest options [e.g. StartSSL, NameCheap&#x27;s cheap ssl certs] and had 99.7%+ coverage, I&#x27;m 100% sure I&#x27;d pay for it.. :)

I&#x27;m failing to see how this differs from <a href="http://www.cacert.org/" rel="nofollow">http:&#x2F;&#x2F;www.cacert.org&#x2F;</a>, though perhaps this would be more strict on participation?

Am I the only one that finds it hillarious (or troubling) that the SSL cert for this site is for a different host name?

NSA, is that you? :) (Thanks for the downvotes in advance)