Valid HTML 4.01 Transitional

Certificate Authority, Reloaded

James F. Carter <jimc@math.ucla.edu>, 2011-01-13

Four years ago Mathnet assessed whether to purchase trust for its public-facing hosts and internal webservers; the report is here. The conclusion was to continue as we had been with our own Certificate Authority. But our needs, and servers, have changed, and it is time to revisit the issue.

Let's be clear about what trust means in this context: We pay an outside vendor annually, they sign our host certificate(s), clients connecting to our secure website have the trust vendor's root certificate installed, and so they can be assured that the host to which they are connecting has the certificate which the trust vendor signed. It is still possible that:

Presently 14 hosts actively use X.509 certificates and there are 3 more secondary roles requiring certificates on the same hosts. Most but not all are used in a context where installing the UCLA-Mathnet Root Certificate is not easy, e.g. reading mail over secure IMAP on an iPhone.

We concluded four years ago that purchasing trust for all the hosts was too expensive, and we got a certificate for just one host, secure.math.ucla.edu (a secondary role on Papyrus). We are now investigating domain-level certification to see if it fits our needs and budget.

As indicated in the previous version of this document, the credible trust vendors are Verisign and Thawte (owned by Verisign).

Verisign's current price for a 1-year cert is $399. This is for the Secure Site quality grade. They offer a SAN SSL Certificate (Subject Alternate Name), in which you can certify up to five hosts for $299/year (likely this means per host). If you plan to issue 10 or more certificates per year, you can create a Verisign Trust Center Enterprise Account for $399 + the cost of the certs, and get a modest discount per cert. You can also pay for this by a purchase order. As far as I can tell, they do not offer wildcard certs.

Thawte's current price for a 1-year cert is $149, for the SSL123 quality grade, for which they do domain validation (they send you e-mail and if you get it, you're legit). Alternatively there is the SSL Webserver Cert, for which they do full organizational validation, costing $249/year; you can add SANs for $169 each/year. Wildcard certs are also available (full organizational validation); prices are not online. (I have requested a price quote.)

Conclusion: the situation is no better this year than in 2006; $2100/year (Thawte SSL123 for 14 hosts) is not acceptable for the value received. We'll see what the price may be for the wildcard cert: probably high.

We could get a lot more value through user training: figure out what problems our users have with our certificates, and add web documents to our user support pages telling how to install our root certificate to be used by common applications such as the iPhone's mail reader and Android's browser.