undefined | Better HN

0 pointsfrik8y ago0 comments

I meant a clone/copy of the (hopefully open) server software of LetsEncrypt stack running as a service on several well known cloud datacenters - of course under a different name.

Why? Not a single point of issue. Given now that it has now 25% market share, it's a high profile target, and given he short cert lifetime aggressive updating is necessary meaning you could receive a underhanded cert in case someone gets access to the high profile target. If Let's Encrypt is not a startup and doesn't plan to make money, then there should be no problem to release the whole service as DEB/package so that every big hosted can run a clone under a different name. Or is LetsEncrypt in the business of gathering analytics and selling the usage data? I think no.

0 comments

1 comments · 1 top-level

pfg8y ago

Just to clarify, do you want to give every one of those big hosters the keys to the internet, as in either a new root CA or one that's cross-signed by an existing CA?

If you're not giving them that, I'm not sure what they would do with just the CA server (which is indeed open source, by the way.) If you're giving them the keys ... well, do you really want to trust every single big hoster with the keys to the internet? They would still have to pass (very expensive) audits, apply for root inclusion, etc., so it wouldn't be as simple as running the Let's Encrypt server stack.

Amazon and Google run their own independent CAs already, with Amazon offering free issuance as part of some of their products (with non-extractable keys). I'd expect Google to offer something similar in the near future. I'm reasonably confident that these companies know how to run a CA, but I'm not sure I would trust many other hosters with something like that.

j / k navigate · click thread line to collapse