> > I think that you should avoid making this an exercise in marketing > > Mozilla's "Let's Encrypt" initiative. > > Perhaps that's why Richard took the time to make a comprehensive list of > all known sources of free certs, rather than just mentioning LE?
Yeah, that's what I thought when I first posted here. Now I'm not so sure. You do not seem interested in hearing about any other technical possibilities other than Let's Encrypt, which you seem to have already chosen. For example: - You say "there is only secure/not secure". Traditionally, we have things like defense in depth, and multiple levels of different sources of authentication. I am hearing: "You will either have a Let's Encrypt certificate or you don't". Heck, let's get rid of EV certificate validation too while we are at it: we don't want to have to do special vetting for banking and medical websites, because that doesn't fit in with Let's Encrypt's business model. - You don't want to hear about non-centralized security models. DANE provides me with control over certificate pinning for people visiting my websites. You seem to be saying: Mozilla's CA will have full control over all websites. I'm not sure why you'd want that level of responsibility. If you don't like DANE, explain why, and propose something else that is non-centralized and not under Mozilla's control. - Personally, I think that the move away from http:// is a good idea, and the opportunistic encryption features are an excellent start. I am not clear why you think that we *technically* need to go beyond this. Other than to force people to use a centralized identity system. Which is? Hmm... Let's Encrypt. I *really* hope I am misunderstanding this thread... I don't think of Mozilla as a company that would try to do this. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
