[Ach] opinions on letsencrypt.org?

[Aaron Zauner]

Hi *,

L. Aaron Kaplan wrote:
> Hi *,
> 
> A couple of days, I stumbled across https://letsencrypt.org/.  Somehow it highly reminded me of cacert.org.
> On the other hand, they seem to be going further by automating SSL certificate creation, CSR signing etc. while doing less work on the WoT part of cacert.org.

They also plan to integrate with certificate transparency, EEF's ssl
observatory and scans.io - which is essential. I've included a short
mention in my DeepSec talk but are yet to look through the design spec
properly and maybe do a review. Not much time though. The most obvious
pro is (opportunistic) HTTPS for everyone.

> 
> Did someone here look into letsencrypt.org in more detail and could you share your impressions?
> Could this be a cacert.org version 2.0? Or an startssl.com killer? [1]

My hope would be that it'll blow commercial CAs out of the water, but
that's probably not going to happen. Let's do a web-of-trust voodoo dance!

> My gut feeling tells me that DANE is probably a better tech.... but so was Betamax. 
> Curious about your feedback.

As with TACK I hear that some vital Google engineers don't like the DANE
trust/security model. I'm curious if it'll see real adoption. Their
reasoning so far has been that there are more "entry points" for an
attacker than with a central (and CT audited) trust system as with
certificate authorities. But I'm not them, just relaying what I've heard
and read from them on mailinglists and twitter here.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141125/222e693b/attachment.sig>