Re: New free TLS CA coming

Thu, 20 Nov 2014 00:46:42 -0800 

On Thu, Nov 20, 2014 at 08:27:37PM +1300, Peter Gutmann wrote:
> Mark Atwood <m...@mark.atwood.name> writes:
> >On Tue, Nov 18, 2014, at 11:25, Salz, Rich wrote:
> >> Initial drop of code and specs available here:
> >> https://github.com/letsencrypt
> >>
> >> From https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html :
> >
> >So Mozilla et al have been giving CAcert the runaround for over 4 years now,
> >and then suddenly they create a more centralized less audited "Let's Encrypt"
> >shows up, and it's welcomed into the root?
> >
> >How... interesting.
> 
> That was my immediate reaction as well.  CACert has been given the runaround
> for more than just four years, it's been more than a decade, and yet as soon
> as a Mozilla-sponsored CA turns up it's in.
> 
> Perhaps someone from Mozilla would be able to explain what the difference is
> that gets Let's Encrypt immediate acceptance while CACert has been left out in
> the cold for more than a decade.

Well, I'm not from Mozilla, but I've taken a close look at how this is all
going to work (as much as can be determined at this early stage).  Hopefully
I've got some useful info to add.

Let's Encrypt isn't getting into "the root" of anywhere.  They're apparently
getting an intermediate CA cert from IdenTrust, which will be declared and
brought under the same audit regime as the rest of IdenTrust's CA hierarchy. 
I've heard mutterings that eventually they want to run their own root, but
that'll take at least a year to go *anywhere*.

Being granted some sort of magical benefit by Mozilla wouldn't help LE
*anyway*, because they'd still need to get into Microsoft, Apple, and
Android's trust stores, at a minimum, to get even close to what they want to
achieve.  Trying to make this out as some sort of conspiracy by Mozilla
against CAcert isn't helpful to either organization -- and it isn't as
though CAcert has managed to get into any other major OS' trust store,
either, so it isn't as though Mozilla *alone* has something against CAcert.

- Matt

-- 
There is no finite resource poor policy making can't make scarce.
                -- David Conrad, in NANOG

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to