[svlug] FYI for all those who don't read slashdot

Rick Moen rick at svlug.org
Thu Nov 20 09:05:17 PST 2014


Josef Grosch wrote:

> http://it.slashdot.org/story/14/11/18/1830229/launching-2015-a-new-certificate
-authority-to-encrypt-the-entire-web
> https://letsencrypt.org/

A new automated, gratis CA with Mozilla, Cisco, and Akamai backing it
is a whole lot better than nothing.  CACert was the pre-existing one,
but isn't in Web browser CA bundles, whereas there's reasonable 
expectation that Let's Encrypt will be.  And of course certs for other 
purposes besides HTTPS, such as SMTP-TLS get slightly improved by this, 
too.

People can read elsewhere about the abundant examples of CA failure 
that, along with the basic overpromising inerhent in the CA model make it
doubtful verging on swiss-cheesed (as Michael Eager said).  Personally, I
try to take various measures so that I am no longer reliant on CA
attestation, e.g., I keep hashes of Web certs I care about in my PDA for
comparison (same as with ssh host keys), and use browser extensions that
alert me to suddent cert or attestation changes.

Knowing the Internet, though, I expect most interest in Let's Encrypt 
will go no further than 'Oh, good, now my no-cost cert can now be
"validated" by default Web browser configurations so that my users
won't worry about security', without any concern over whether those
such users _ought_ to be trusting CA attestation in the first place.  




More information about the svlug mailing list