> Am 01.09.2018 um 12:51 schrieb Pete Biggs <pete at biggs.org.uk>: > > That was until LetsEncrypt comes along - it has the backing of some big > names and *IS* an effective business model for small and private > customers. What *is* the business model of Let’s Encrypt? Are they going to issue „Pro“ certificates at some point that cost money? Running a CA is not expensive per se - it’s the audits that the CAB (CA+Browser) Forum mandates that are expensive. In the beginning, the certificates had a certain level of trust with them that came both from the high prices (deterring drive-by crooks) and the fact that some sort of vetting was made to ensure that nobody could have issued a certificate for a domain they didn’t really control. But the later step is not very friendly to automation. And CAs can principally issue certificates for any domain - a fact brought home by the compromise of Dutch CA DigiNotar in the Fall 2011. Adding to the fact is a concentration-process in the industry that leads to fewer and fewer companies that know less and less of their customers. These days, a certificate just shows that the communication is encrypted. Whether the other endpoint is what it claims to be is of no concern to any third-party involved in setting up that communication-process. There’s even talk about deprecating the special handling browsers have for EV-certificates from future versions of Mozilla.