On Sep 1, 2018, at 12:10 PM, Rainer Duffner <rainer at ultra-secure.de>
wrote:>
>> Am 01.09.2018 um 12:51 schrieb Pete Biggs <pete at biggs.org.uk>:
>>
>> That was until LetsEncrypt comes along - it has the backing of some big
>> names and *IS* an effective business model for small and private
>> customers.
>
> What *is* the business model of Let?s Encrypt?
They?re a nonprofit, run off of sponsorships and donations:
https://letsencrypt.org/about/
https://letsencrypt.org/donate/
https://letsencrypt.org/docs/faq/
https://letsencrypt.org/sponsors/
https://letsencrypt.org/become-a-sponsor/
> Are they going to issue ?Pro? certificates at some point that cost money?
That would be incompatible with their 501(c)(3) status.
> Running a CA is not expensive per se
Indeed.
Let?s Encrypt was inevitable: the compute costs of generating certs, running the
back-end service, and holding the data were tiny in the 1990s and are even
tinier now.
Tiny times massive equals large, so at scale there are non-trivial costs, but
the old standard of ~$100/yr was rapacious for what we?d now call a domain
validation (DV) or light organization validation (OV) cert.
> In the beginning, the certificates had a certain level of trust with them
that came both from the high prices (deterring drive-by crooks) and the fact
that some sort of vetting was made to ensure that nobody could have issued a
certificate for a domain they didn?t really control.
I had certs in the early days, and even back then, a standard web site cert
didn?t involve a whole lot of checking.
That?s lead to the DV vs OV vs EV distinction:
https://www.ssl.com/article/dv-ov-and-ev-certificates/
If a DV-only cert is sufficient for your purposes, then Let?s Encrypt probably
does all you need.
The only reason to buy a cert these days is if you want OV or EV, and if it were
me, I?d skip OV and go to EV in order to get the extra assurances that the green
styling in the browser asserts. For some applications, it?s worth the money.
DV-only covers a whole lot of use cases, though, including the one that started
this thread.
> These days, a certificate just shows that the communication is encrypted.
You may be right that there is little practical difference to a random end user
between DV and OV, but I believe there is real value in EV.
> There?s even talk about deprecating the special handling browsers have for
EV-certificates from future versions of Mozilla.
Why?
I?m aware that it?s possible to generate a fraudulent EV cert, but to deprecate
the distinction between EV and DV is to impugn the value of the CA system
entirely. There?s plenty of problems in the system, which is one reason why we
have the CAB Forum: untrustworthy CAs get run out of business.
That leaves transparent TLS proxy middleboxes and such, but that?s just another
?Who do you trust?? argument.