Let's Encrypt enters public beta: free HTTPS certificates for everyone!


#21

The “Jumping through hoops” part is directly related to the “passing an audit” part. CACert imposed new requirements on their assurers (e.g. passing a test) in direct response to the audit hurdles.

Being verified into the chain of trust is not that difficult, really. You bring two forms of identification to someone who is already a qualified assurer, and fill out a short form.

I’m not going to defend CACert, other than to say that they have a huge uphill battle being accepted as a free/open service into a domain that is fully controlled by heavily moneyed interests. I admire their aspirations and tenacity, but I’ve lowered my expectations of widespread use of their certificates.


#22

That’s the hoops I was talking about. You have to find a (most likely) complete stranger who’s a qualified assurer that’s hopefully nearby, try to coordinate with them to meet up, find a mix of ID to bring with that is acceptable, etc.

It does look like the ID requirements have relaxed slightly since I last looked into it… it used to be that you needed either two forms of government photo ID, or one of those and multiple other forms of ID. The only other option was sending notarized copies of an even larger amount of government-issued documentation through the mail to some address in another country, which was not happening just to be able to get some SSL certs…

I’ve had an account since 2009, and I’m not assured. Though I’ll admit, it’s probably been two or three years since I last seriously looked into it.

Compare this to Let’s Encrypt, where the only hoops you need to jump through is being able to either run the client on your webserver or manually put some files in your website while running the client somewhere else… yes, the CaCert method is a LOT more difficult.

Note, I’m not saying CaCert is bad here. Even after all these years, I still keep an eye on CaCert because they’re an interesting project. It’s just that they’re not really a very appealing alternative for what Let’s Encrypt provides at the current time.


#23

This is a good idea. Unfortunately, it doesn’t work on CentOS 6… it installs itself, but doesn’t actually do anything. Will definitely try it once my OS is supported.


#24

Uhm, bullshit. I know the people in charge of the CA compliance and auditing program at Mozilla. They aren’t in the pocket of any “heavily moneyed interests.” They do require people go through the official process though and comply with it before approval.


#25

… and then here’s some quotes from this guy, who knows a thing or two about writing and auditing software:

http://blog.fefe.de/?ts=a89f4ed6

pile of mangy Python shit

I get rashes when I see self-thinking, self-repairing, self-updating software. I’ve never experienced that does not end up making more trouble

I’ll certainly not install Python on my web server so I can apply for an SSL certificate

they offer in all seriousness a way in which a VM or a Docker image to install itself so that it can run its scruffy stink software who then requested the certificate. Are you crazy?!

The nerve to tell people that they should please “accept and run this code here”! WTF? I have operated risk minimization and the Trusted Computing Base minimized and now I’ll triple the footprint of the Web server in order to install an SSL cert?

Unbelievable.

hipster shit


#26

Typical German developer. :slight_smile:

Don’t run it then. He can hand install his certs. The script is just to make it easy.


#27

So what certificate issuing authorities do you know of who give them away for free?


#28

And, the “typical German developer” can easily develop his own client that overcomes his objections. Right?


#29

I expect so.

I have two German developers at work that report to me. I ran his piece by one of them. When I asked if he was angry or just German, my guy replied with “German angry.” :slight_smile:


#30

Let’s Encrypt, the topic of this thread?


closed #31

This topic was automatically closed after 5 days. New replies are no longer allowed.