I don’t need any stinkin’ CA issued certificates for my web sites, for this I do - openssl 123 …
So goes the usual rant by geeks, hackers and open source enthusiasts against the certification authorities and their accomplices Internet Explorer, Firefox and Co.. Why is that and did anything change?
One of the primary concerns usually raised in discussions, blog posts and bug comments surrounding digital certificates was always the monetary requirements:
It’s the pricing policies of the greedy CAs who are sucking up our hard earned dollars for worthless digital certificates anybody can create by themselves… if one isn’t too stupid to use a few openssl commands. And anyway, anyone with $250,000 and a good lawyer can be certified to issue perfectly trusted certificates. It has very little to do with technical competence and more to do with fact they are trying to milk the industry for substantially more money… 
That was correct in early 2005 when I started the StartCom Free SSL Certificate Project. Having realized that alternatives aren’t going anywhere in any useful time frame and being annoyed myself for having to pay a rather significant sum for security, I decided that it might be worth trying to change the rules. We had perfect cryptography which unfortunately only some could afford - but certainly not the masses. In order to make the Internet a better (and securer) place, certificates had to be easily obtainable.
Four years ago - StartCom’s main focus was still the StartCom Linux distribution and hosting business of MediaHost™ - we setup a new web site and created a very simple wizard for obtaining a digital certificate and announced to the world that we intend to end this multi-million dollar business of implied security. There was certainly some naivety and a lot of innocence with our proclaimed goal - until our servers were overran by almost two million page views during the initial days after our announcement which hit the Internet news sites. We went like….WOW!
Here it was, the Israeli Linux vendor StartCom is going to issue SSL certificates for free. The news was allover the place, heated discussions erupted at interactive forums, supportive and critical (*) comments, jubilation and frustration, a mixed bag of views and reporting. Even though I admit that I wanted to stir the pot a little bit, the reaction and extend of reporting was completely unexpected (initially I thought our servers were DOS attacked ).
* Some comments even suggested that StartCom is operated by the Mossad, the Israeli intelligence agency.
Realized what we’ve done, the period following the initial success was marked by a strategic shift of priorities at the company, and a huge workload and learning process. With the help of a known PKI specialist we started to set up the StartCom Certification Authority - this time for real. Policies were defined, hardware purchased, servers installed and secured, CA certificates issued, applications developed, CRLs and OCSP responders implemented, physical security enforced, legal framework established and, and, and….at last we ordered an audit in order to confirm our policies and practices. A far cry from openssl 123 …
At that point we also had to invent a new business model for certification authorities because we proclaimed that digital certificates can cost much less or may be even free of charge! But somebody has to pay the bills nevertheless. Hence we established the principal that fees should be applied against the effort we spend in manual processing by our personnel. Like this StartCom was enabled to keep issuing domain validated SSL certificates which are processed mostly automatically without charge, while applying reasonable fees for higher validated certificates.
During the following years the StartCom CA was accepted by various software vendors as a trusted authority for the issuance of digital certificates including Apple and Mozilla. It would take the introduction of more products and many more efforts until we would reach acceptance by all major browser vendors - something which is probably going to happen now during the next few month.
By providing fully trusted SSL certificates for the first time ever, I always had to wonder why it is such a horrible act for geeks and open source advocates to get a certified piece of bits and bytes from a third party provider as seen in comments from here. It clearly can’t be because of the alleged financial ripoff, because no financial barrier exists today as it still was the case in early 2005.
Various efforts were made in order to explain into great length why self-signed certificates aren’t worth the digital paper they are written on. Are the most security minded and most knowledgeable folks using computers their own obstacle when it comes to digital certification? Is the freedom to use your homegrown instead that of a third party provider more important than Internet security? Isn’t a drivers license issued by yourself about as worthless? Or is it because StartCom is nevertheless a commercial company and therefore evil? Or is this a geek factor not well understood? Do you know?