Some thoughts on what StartCom's shutdown means in general

December 8, 2017

I wrote a couple of weeks ago about StartCom giving up its Certificate Authority business, and then I was reminded of it more recently when they sent my StartSSL contact address an email message about it. Perhaps unsurprisingly, that email was grumpier than their public message; I believe it was similar to what they posted on their own website (I saved it, but I can't be bothered to look at it now). Partly as a result of this, I've been thinking about what StartCom's shutdown means about the current state of the CA world.

Once upon a time, owning a CA certificate was a license to print money unless you completely fumbled it. Given that StartCom was willing to completely give up on what was once a valuable asset, it seems clear that those days are over now, but I think they're over from two sides at once. On the income side, free certificates from Let's Encrypt and other sources seem to be taking an increasingly large chunk out of everyone else's business. There are still people who pay for basic TLS certificates, but it's increasingly hard to see why. Or at least the number of such people is going to keep shrinking.

(Well, one reason is if automatic provisioning is such a pain that you're willing to throw money at certificates that last a year or more. But sooner or later people and software are going to get over that.)

However, I think that's not the only issue. It seems very likely that it's increasingly costly to operate a CA in a way that browsers like, with sufficient security, business processes, adherence to various standards, and so on. It's clear that CAs used to be able to get away with a lot of sloppy behaviors and casual practices, because we've seen some of those surface in, for example, mis-issued test certificates for real domains. That doesn't fly any more, so running a CA requires more work and more costs, especially if something goes badly wrong and you have to pass a strong audit to get back into people's good graces.

(In StartCom's case, I suspect that one reason their CA certificate became effectively worthless is that getting it re-accepted by Chrome and Mozilla would have required about as much work as starting from scratch with a new certificate and business. Starting from scratch might even be easier, since you wouldn't be tainted by StartCom's past. Thus I suspect StartCom couldn't find any buyers for their CA business and certificates.)

Both of these factors seem very likely to get worse. Free TLS certificates will only pick up momentum from here (Let's Encrypt is going to offer wildcard certificates soon, for example), and browsers are cranking up the restrictions on CAs. Chrome is especially moving forward, with future requirements such as Certificate Transparency for all TLS certificates.

(It seems likely that part of the expense of running a modern commercial CA is having people on staff who can participate usefully in places like the CA/Browser forum, because as a CA you clearly have to care about what gets decided in those places.)

Written on 08 December 2017.
« My upgrade to Fedora 27, Secure Boot, and a mistake made somewhere
We've switched over to using Let's Encrypt as much as possible »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Dec 8 00:08:40 2017
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.