Am 01.09.2018 um 12:51 schrieb Pete Biggs pete@biggs.org.uk:
That was until LetsEncrypt comes along - it has the backing of some big names and *IS* an effective business model for small and private customers.
What *is* the business model of Let’s Encrypt?
Are they going to issue „Pro“ certificates at some point that cost money?
Running a CA is not expensive per se - it’s the audits that the CAB (CA+Browser) Forum mandates that are expensive.
In the beginning, the certificates had a certain level of trust with them that came both from the high prices (deterring drive-by crooks) and the fact that some sort of vetting was made to ensure that nobody could have issued a certificate for a domain they didn’t really control.
But the later step is not very friendly to automation. And CAs can principally issue certificates for any domain - a fact brought home by the compromise of Dutch CA DigiNotar in the Fall 2011. Adding to the fact is a concentration-process in the industry that leads to fewer and fewer companies that know less and less of their customers.
These days, a certificate just shows that the communication is encrypted. Whether the other endpoint is what it claims to be is of no concern to any third-party involved in setting up that communication-process.
There’s even talk about deprecating the special handling browsers have for EV-certificates from future versions of Mozilla.