[CentOS] Certificates

Sat Sep 1 18:10:29 UTC 2018
Rainer Duffner <rainer at ultra-secure.de>

> Am 01.09.2018 um 12:51 schrieb Pete Biggs <pete at biggs.org.uk>:
> That was until LetsEncrypt comes along - it has the backing of some big
> names and *IS* an effective business model for small and private
> customers.

What *is* the business model of Let’s Encrypt?

Are they going to issue „Pro“ certificates at some point that cost money?

Running a CA is not expensive per se - it’s the audits that the CAB (CA+Browser) Forum mandates that are expensive.

In the beginning, the certificates had a certain level of trust with them that came both from the high prices (deterring drive-by crooks) and the fact that some sort of vetting was made to ensure that nobody could have issued a certificate for a domain they didn’t really control.

But the later step is not very friendly to automation. And CAs can principally issue certificates for any domain - a fact brought home by the compromise of Dutch CA DigiNotar in the Fall 2011.
Adding to the fact is a concentration-process in the industry that leads to fewer and fewer companies that know less and less of their customers.

These days, a certificate just shows that the communication is encrypted. Whether the other endpoint is what it claims to be is of no concern to any third-party involved in setting up that communication-process.

There’s even talk about deprecating the special handling browsers have for EV-certificates from future versions of Mozilla.