On Thu, Apr 16, 2015 at 8:16 AM, <david.a.p.ll...@gmail.com> wrote: > > > I think that you should avoid making this an exercise in marketing > Mozilla's "Let's Encrypt" initiative. > > > > Perhaps that's why Richard took the time to make a comprehensive list of > > all known sources of free certs, rather than just mentioning LE? > > Yeah, that's what I thought when I first posted here. Now I'm not so > sure. You do not seem interested in hearing about any other technical > possibilities other than Let's Encrypt, which you seem to have already > chosen. >
I hope it's clear that I and others have brought up Let's Encrypt only as an example of how it's becoming easier to get a certificate -- along with other offerings from folks like StartCom and WoSign. > For example: > - You say "there is only secure/not secure". Traditionally, we have > things like defense in depth, and multiple levels of different sources of > authentication. I am hearing: "You will either have a Let's Encrypt > certificate or you don't". Heck, let's get rid of EV certificate > validation too while we are at it: we don't want to have to do special > vetting for banking and medical websites, because that doesn't fit in with > Let's Encrypt's business model. > The focus of this thread is moving the web toward a basic level of security. The fact of HTTPS today is that DV is the minimum acceptable standard. Additional levels above HTTPS+DV are great, but they're gravy on top of having protection against network attackers. Opportunistic security is also a fine idea, but it's no HTTPS. And of course non of this has to do with Let's Encrypt. - You don't want to hear about non-centralized security models. DANE > provides me with control over certificate pinning for people visiting my > websites. You seem to be saying: Mozilla's CA will have full control over > all websites. I'm not sure why you'd want that level of responsibility. > If you don't like DANE, explain why, and propose something else that is > non-centralized and not under Mozilla's control. > Whether or not DANE is supported is not germane to this thread, unless you think a lack of DANE support is a blocker to broader HTTPS adoption. (I look forward to your explanation of how a strict hierarchy like the DNS is not "centralized".) > - Personally, I think that the move away from http:// is a good idea, and > the opportunistic encryption features are an excellent start. I am not > clear why you think that we *technically* need to go beyond this. Other > than to force people to use a centralized identity system. Which is? > Hmm... Let's Encrypt. > > > I *really* hope I am misunderstanding this thread... I don't think of > Mozilla as a company that would try to do this. > As I hope is apparent by now from the above and from Adam's response, this thread has nothing to do with promoting LE. It's all about promoting HTTPS, whether your cert comes from LE, from another CA, or from DANE. --Richard > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
