<
francesco...@gmail.com> writes:
>mmm i don't think it's the correct amount. As long as i know, obtaining a
>report (and relative seals) for Baseline v.2.0 and SSL criteria 2.0 should
>cost you around 100K dollars. Obviously not considering the money needed to
>fill any eventually emerged gaps from the standards (i.e. buying HSMs). If i
>didn't understand you, please correct me.
That's like saying that getting a safety-code compliance certificate for a
building will cost you $5,000 and take about a day. That may be the cost of
getting the piece of paper, but the remedial work required to get to that
point could be half a million dollars and take a year of effort. It's the
same with getting to the point of getting the paperwork to get into the root
stores, the rule-of-thumb figure I've heard thrown around is $1M and a year's
work:
As a rule of thumb to help you estimate the amount of legal and procedural
work involved, for a CA providing general services to the public (either
directly or indirectly, for example as part of a government department or
one providing services for multiple different parties outside your direct
control rather than being purely a non-public or in-house CA), expect to
spend about a million dollars (or euros, or pounds, or zorkmids, the figure
of “one million” is rather consistent across currencies) on legal and
business issues including due diligence, preparing the certificate practice
statement (CPS), and being audited to ensure that you’ve got it right. As
one set of PKI guidelines puts it, “given that the principal product sold by
a CA is ‘trust’ there is a critical requirement to be able to demonstrate a
thorough understanding of the security threats faced by a CA” [ ]. If you
ask your lawyers about this they’ll tell you that the best way to limit your
liability is to get everyone involved to agree that they won’t use your
certificates for anything, and then the business people need to negotiate
back what they can actually be used for, as little as possible if the
lawyers can help it.
For a CA of this kind you should expect the legal side of things to occupy
two technical people (to educate the lawyers) and four to six lawyers full-
time for around six months, and then budget another six months to clear the
paperwork and wait for all the approvals to go through. If someone tells
you that they can set up your PKI for a lot less than this when your
certificate practice statement is anything more complex than “You can’t use
these certificates for any purpose and we accept no liability for anything”
then this should ring alarm bells (although some CAs claim to provide
liability cover, this is structured in such a way that the CA never has to
pay out under any conceivable real-world scenario, with one CA admitting
that their liability cover is “really there just to reassure you that it’s a
true 128-bit certificate, and to make you feel better about purchasing it” [
]). The details of the requirements for a PKI of this scope are far too
complex to even begin to address here except to warn that it’s a big one. If
you’re looking for a starting point for this then chances are that your
national government or other governing body (for example a banking standards
body or regulator if you’re a bank) will have some sort of PKI guidelines
that you can use.
Peter.