The Rhodanthe CA System

Recently, the hosting company I use made it compatible to use Server Name Indication to support SSL/TLS. This has made it possible for me to encrypt many of sites under HidekiSaitoCom domain. Currently, as written in HidekiSaitoCom PKI Information some of my sites utilize certificates issued by StartSSL. The problem of StartSSL is that its limitation calls for a fee for each revocations issued, and this is mandatory for generating a replacement certificate; the problem that can be very critical for low budget sites such as mine. Certificate costs are not negligible for websites with virtually no income. These problems are perhaps one’s aimed to be fixed by Let’s encrypt project, but its implementation is still far, and considering server side implementation seems to be necessary with their model, it is still unknown when this would be available to me.

One way to solve this problem is to use Self-signed Certificate which basically a certificate that attests itself, however, as a promoter of GnuPG I thought of handling this slightly better. Meet Rhodanthe CA.

Rhodanthe CA Diagram
Rhodanthe CA Diagram

The goal of Rhodanthe CA is not to authenticate the site, however, it is mainly used to offer opportunistic encryption scheme, using root certificate that can be externally verified using an OpenPGP key. Feature for the CA includes root certificate, intermediate certificates, and also offers Certification Revocation List. Considering the upcoming Let’s Encrypt feature seems to aim to provide a light-weight basic level of domain matching authentication, other than seeing scary warning when accessed without importing the root certificate, it should offer just as good security. Perhaps, in the future, actual authentication is more bound to Extended Validation Certificates; it’s very important that we provide functional encryption to the site.

As a side story, major corporation such as Google owns its own Certificate Authority. They have this functionality by having root certificate authority to sign their CA key, which effectively makes Google’s CA Intermediate Certificate Authority to the root CA (in their case GeoTrust) in order to issue certificates for Google’s services. The problem of this is the cost and burden such as Certificate Practices Statement; what is beyond for individuals like myself to apply for.