Funding CT Logs - Where Do The Dollars Come From?

[aa_kira]

If the goal of having CAs make CT logs publicly available, ostensibly free of charge, where does the money come from to pay for the additional upkeep and operation of these logs?  It seems counterintuitive to charge fees to view these public logs (this is being proposed by several entities) but where should these CAs/organizations look to get $$$ to fund their logs?

[Salz, Rich]

Interesting question.

 

So far we’ve seen

-          Companies ‘just doing it’ as the cost of business, for the good of the Internet, etc – e.g., the Google logs

-          CA’s running it for their own certs, as part of the cost of doing business in the “CT world”

-          Subscription logs, where a CA pays the log operator to get their certs listed

 

I don’t think we’ve seen any “pay to use” logs.

 

-- 

Senior Architect, Akamai Technologies

Member, OpenSSL Dev Team

IM: rich...@jabber.at Twitter: RichSalz

[Ben Laurie]

On 20 January 2017 at 13:41, Salz, Rich <rs...@akamai.com> wrote:
> Interesting question.
>
>
>
> So far we’ve seen
>
> - Companies ‘just doing it’ as the cost of business, for the good
> of the Internet, etc – e.g., the Google logs
>
> - CA’s running it for their own certs, as part of the cost of doing
> business in the “CT world”
>
> - Subscription logs, where a CA pays the log operator to get their
> certs listed
>
>
>
> I don’t think we’ve seen any “pay to use” logs.

They wouldn't be much use, since the Chrome CT policy forbids it.

>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> Member, OpenSSL Dev Team
>
> IM: rich...@jabber.at Twitter: RichSalz
>

> --
> You received this message because you are subscribed to the Google Groups
> "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to certificate-transp...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Salz, Rich]

> > I don’t think we’ve seen any “pay to use” logs.
>
> They wouldn't be much use, since the Chrome CT policy forbids it.

There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy :)

Mozilla's current policy drafts don't seem to preclude this.

[Eran Messeri]

On Friday, 20 January 2017 13:57:34 UTC, Ben Laurie wrote:

On 20 January 2017 at 13:41, Salz, Rich <rs...@akamai.com> wrote:
> Interesting question.
>
>
>
> So far we’ve seen
>
> -          Companies ‘just doing it’ as the cost of business, for the good
> of the Internet, etc – e.g., the Google logs
>
> -          CA’s running it for their own certs, as part of the cost of doing
> business in the “CT world”
>
> -          Subscription logs, where a CA pays the log operator to get their
> certs listed
>
>
>
> I don’t think we’ve seen any “pay to use” logs.

They wouldn't be much use, since the Chrome CT policy forbids it.

What do you base this on?

My understanding is different: It's acceptable for a log to charge a CA for submissions after accepting them, but not acceptable for a log to selectively reject submissions that chain to a trust anchor it publishes as acceptable via get-roots.

>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> Member, OpenSSL Dev Team
>
> IM: rich...@jabber.at Twitter: RichSalz
>
> --
> You received this message because you are subscribed to the Google Groups
> "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to certificate-transparency+unsub...@googlegroups.com.

[aa_kira]

Is it acceptable?  The CT Log Policy states:  "Log Operators must: ... Not impose conditions on retrieving or sharing data from the Log."  Does the fact that the word "accepting" is not part of this exclusion allow for CAs operating CT logs to charge other CAs (or other non-CA entities) for appending to their logs? 

[Ben Laurie]

On 23 January 2017 at 11:58, 'Eran Messeri' via
certificate-transparency <certificate-...@googlegroups.com>
wrote:

>
>
> On Friday, 20 January 2017 13:57:34 UTC, Ben Laurie wrote:
>>
>> On 20 January 2017 at 13:41, Salz, Rich <rs...@akamai.com> wrote:
>> > Interesting question.
>> >
>> >
>> >
>> > So far we’ve seen
>> >
>> > - Companies ‘just doing it’ as the cost of business, for the
>> > good
>> > of the Internet, etc – e.g., the Google logs
>> >
>> > - CA’s running it for their own certs, as part of the cost of
>> > doing
>> > business in the “CT world”
>> >
>> > - Subscription logs, where a CA pays the log operator to get
>> > their
>> > certs listed
>> >
>> >
>> >
>> > I don’t think we’ve seen any “pay to use” logs.
>>
>> They wouldn't be much use, since the Chrome CT policy forbids it.
>
> What do you base this on?
>
> My understanding is different: It's acceptable for a log to charge a CA for
> submissions after accepting them, but not acceptable for a log to
> selectively reject submissions that chain to a trust anchor it publishes as
> acceptable via get-roots.

I meant it forbids charging for retrieving from the logs. As you say,
CAs (or anyone else) can be charged for submitting to a log as it
stands.

>> > --
>> >
>> > Senior Architect, Akamai Technologies
>> >
>> > Member, OpenSSL Dev Team
>> >
>> > IM: rich...@jabber.at Twitter: RichSalz
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "certificate-transparency" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to certificate-transp...@googlegroups.com.

>> > For more options, visit https://groups.google.com/d/optout.
>

> --
> You received this message because you are subscribed to the Google Groups
> "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to certificate-transp...@googlegroups.com.