On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > I do see WoSign there (though I'd prefer to avoid my US located servers > have certificates signed by authority located in China, hence located sort > of behind "the great firewall of China" - call me superstitious). That’s a perfectly valid concern. The last I heard, modern browsers trust 1,100 CAs! Surely some of those CAs have interests that do not align with my interests. > I do not see neither starttls.com nor letsencrypt.org between Authorities > certificates. That’s because they are not top-tier CAs. > This means (correct me if I'm wrong) that client has to > import one of these Certification Authorities certificates You must be unaware of certificate chaining: https://en.wikipedia.org/wiki/Intermediate_certificate_authorities Even top-tier CAs use certificate chaining. The proper way to run a CA is to keep your private root signing key off-line, using it only to sign some number of intermediate CA signing certs, which are the ones used to generate the certs publicly distributed by that CA. Doing so lets a CA abandon an escaped private key by issuing a CRL for an escaped private key. The CA then just generates a new signing key and continues on with that; it doesn’t have to get its new signing key into all the TLS clients’s trusted signing key stores because the new key’s trust chain goes back to the still-private offline root key. Without that layer of protection, if their private signing key somehow escapes, the CA is basically out of business until they convince all the major browsers to distribute their replacement public key. > - but other clients, like laptops had to download, install and > trus my CA certificate). If those laptops are Windows laptops on an AD domain, there is a way to push CA public keys out to them automatically. (Don’t ask me how, I’m not a Windows admin. I’m just aware that it can be done.) > Also: with CA signing server certificate there is a part that is > "verification of identity" of domain or server owner. Namely, that whoever > requested certificate indeed exists as physical entity (person, > organization or company) accessible at some physical address etc. This is > costly process, and as I remember, free automatically signed certificates > were only available from Certification Authority whose CA certificated had > no chance to be included into CA bundles shipped with browsers, systems > etc. For that exact reason: there is "no identity verification". The last > apparently is costly process. I’m not exactly sure what you’re asking here. If you are simply pointing out that the free certificate providers — including Let’s Encrypt — do not do public records background checks, D&B checks, phone calls to phone numbers on your web page and DNS records, etc. to prove that you are who you say you are, that is true. Let’s Encrypt is not in competition with EV certificates, for example: https://en.wikipedia.org/wiki/Extended_Validation_Certificate The term of art for what Let’s Encrypt provides is a domain validation certificate. That is, it only proves that the holder was in control of the domain name at the time the cert was generated. > So, someone, please, set all of us straight: what is the state of the art > today? The answer could fill books. In a forum like this, you can only expect answers to specific questions for such broad topics.