[kwlug-disc] Let's Encrypt out of beta
Hubert Chathi
hubert at uhoreg.ca
Fri Apr 15 15:59:46 EDT 2016
On Fri, 15 Apr 2016 14:59:42 -0400, Paul Nijjar via kwlug-disc <kwlug-disc at kwlug.org> said:
> In principle the code is open and available. If there were a bunch of
> organizations running their own Boulder server CAs then I would be
> less worried. Maybe this is happening, but I do not know what those
> other services are. That would be a model that is more robust, in any
> case.
The problem here is that the code is a secondary issue. The important
part is that their signing key is trusted by the browsers, and for
obvious reasons, they can't open source their signing key.
If CACert had ever maneged to get their key trusted, I don't know if
there would have been sufficient motivation for Let's Encrypt.
> You may be right. Maybe this is FUD. But I think that worrying about
> this infrastructure for Let's Encrypt is more important than the
> average unsustainable project, because Let's Encrypt is trying to
> become a core component of the Web. If Let's Encrypt is successful
> then a lot of commercial CAs are going to go out of business.
The big ticket items for commercial CAs are wildcard certificates and
Extended Verification (EV) certificates, which Let's Encrypt doesn't
issue. Let's Encrypt might eat into some of the wildcard certificate
revenue, but for some organizations, they either *need* a wildcard
certificate, or it's more cost-effective for them to purchase a wildcard
instead of getting a Let's Encrypt certificate for every host name that
they need. And in fact, there are some companies that *only* issue EV
certificates, so I don't think the CA business is going any time soon.
But the real solution to basic web encryption isn't Let's Encrypt, it's
DNSSEC + DANE.
More information about the kwlug-disc
mailing list