Comment by schoen
11 years ago
The thing that's causing the delay is not the client software development, it's the need to create the CA infrastructure and then perform a WebTrust audit. If we were ready on the CA side to begin issuing certificates today, we would be issuing them today.
I think I may have misunderstood all of you. Is the audit process itself really that time consuming? I can imagine the amounts of bureaucracy involved, but I can't image this takes much longer than, say, a month or so. Most of the time is probably spent waiting for someone or something, right? I mean we're talking about very capable people here who have done this kind of thing before.
You are lucky to not have had to deal with corporate beuracracy - these things take time :-) At work I'm integrating an API for a mobile operator, it's apparently working and ready to be used however I've been waiting a couple of months to get all the documentation and everything setup.
Even once they have the CA it needs to be added to browsers which will take time. Taking into account release cycles of embedded devices (read phones where the manufacturer hasn't released an update), summer 2015 seems rather optimistic.
The CA will be cross-signed, so it does not need to be added to browsers right away in order to be accepted. It will be treated as an intermediate cert, not a root cert, by all mainstream browsers at the outset.
But there is a lot of paperwork to be done, and a lot of engineering to be done, and a lot of things to buy and people to hire, in order to get a CA operating.
The CA is audited for six months. During this time frame, auditors collect info about the CA, and mainly what happens with it during the six months. Sometimes an auditor will issue a "readiness" statement to help the root get included before the audit closes, but it doesn't seem like they'll need that here.