On Wednesday, 29 June 2016 04:13:59 UTC+1, Matt Palmer wrote: > The only difference here between LE and every other CA is that issuance from > LE is free.
Nope. StartSSL and WoSign offer free issuance, Comodo offers a free "trial" which would be perfectly good for criminal enterprise. Symantec has a partner deal which is free at point of use, I'm sure I missed others, in effect free DV is the baseline product today. Let's Encrypt is different in two significant ways, (1) they're a not-for-profit which eliminates the profit motive that has driven CA behaviours which were variously unsafe for the web PKI or terrible for subscribers; (2) they implement an IETF standards track mechanism for issuance > While it's not a meaningful speedbump for the modern criminal, > it does at least mean they've got to find a stolen CC. Nope. You can buy a "prepaid" EMV card at a corner store. If you're under-25 it's probably easier to buy a prepaid card than a bottle of liquor in many countries. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy