Presently these hosts have X.509 certificates:
|Arachne||Web, SMTP*||Faculty web hosting|
|Papyrus||Web||Webmail, secure pages|
|Sumac||SMTP, Web*||Department mail exchange|
|Zuma||Web||Student web hosting|
Summarizing: 15 total, 7 used for IMAP, 7 web, and 4 miscellaneous. Additionally there is a web server on Bamboo01 which does not have SSL capability. We also have 9 users to whom certificates have been issued, mainly to use OpenVPN.
These certificates are signed by the Root Certificate of the UCLA-Mathnet Certificate Authority. Unfortunately, important classes of users do not have this certificate as a trusted certificate authority (CA), so they get a nasty message from their browser when accessing our secure web servers. We are therefore investigating if we should get our certificates signed by a CA which is shipped with frequently-used web browsers. First, here are summaries of some web information about certificate authorities.
Dated 2006-06-05 (fairly recent), author's full name not shown.
Which CAs are pre-installed with the major web browsers? The author intersected the CA lists from MSIE-6, Firefox-1.5, Opera-8.5, Safari(Tiger), getting these. (Update: in 2007-02-xx Microsoft sent out an updated root cert list, which is essentially unchanged and does not include startcom.org.)
These are from the Startcom website, and are believed to be the fraction of contacts to that site using the various browsers. Given that MSIE does not pre-install Startcom's root certificate, the statistics may be biased away from MSIE.
|Other & Unknown||4%|
Operating system identified in the same set of data:
|Other & Unknown||12%|
Dated 2006-12-01, no author's full name.
It appears that they took a universe of web servers, contacted them with SSL, dumped the issuing organization (CA), and reported the fraction of all web servers (with SSL capability) with particular CA's. The total number of web servers queried was 298100. The following list shows the commonly installed CA's listed above, and a few others, in order by market share.
|Geotrust||21%||Bought by Verisign|
|Thawte||14%||Bought by Verisign|
|Comodo||5%||Not in all browsers|
|(Next 5)||13%||Not in all browsers|
|CACert Inc||0.06%||Non-common but free|
|StartCom||0.03%||Semi-common but free|
|(88 Other)||20%||All <= 1% each|
Conclusion: I'll confine my research to the intersection of market leaders and pre-installed CAs. Here is a table of prices (in US dollars) as of 2006-12-13, except the Verisign deal is from 2007-02-07.
|1 Year||2 Year||1 Year||2 Year|
|Verisign||Prices not available online.|
|(UCLA Special Deal)||$376||$752||$172||$344|
|A service is also offered where you approve issuance of Standard certificates, at the list price, in your domain.|
|Startcom||Certificates are free.|
Of particular interest is Startcom. They began business around 2004 and are based in Israel. They are trying to get their root certificate pre-installed in popular web browsers, and have been more successful in the open source community. However, over half their hits were from browsers that don't have their root cert, so we would still need to give our users instructions for installing their root cert. In other words, they are definitely the value leader, but they don't meet our goal of serving our secure pages without complaints from the clients' browsers.
Buzz on the web indicates that Verisign is arrogant and hard to deal with. They are handicapped by being coy about their prices. I suggest we not consider them further. (Later update: At UCLA a number of departments indicated interest in negotiating a certificate deal, and the campus IT section did this with Verisign. The campus prices for Verisign certificates are shown.)
Of the remaining credible vendors, Comodo is the cheapest, but also doesn't have its root cert in all the leading browsers, hence would not meet our goal.
Before selecting any vendor we should do some research on the web to see how good their customer service is. (Update: the campus Verisign deal delegates authorization to our Software Central; in other words, they are allowed to declare authoritatively to Verisign that we have the right to use the name in the certificate. Hence we don't have to deal with the weasels at Verisign.)
Conclusion: Our four public web servers, which we have an operational need to make nice, are Arachne, Papyrus, Zuma and Sumac. If we go with the campus deal, we're committing to $172/year per cert, or $688/year. Unfortunately, this number is at the edge of the pain threshold, so it doesn't absolutely tell us whether to sign up or to reject the idea. If all 15 of our host certificates were traceable to the vendor the cost would be $2580/year, which clearly is not worth it.
I suggest the following steps: