Follow

Given that some CI-Systems and IDS currently are significantly impacted by the US-Government-Shitdown, take a moment to think about this:

Imagine if Let's Encrypt were run by the US-Government…

The free certificate authority, which is the largest and most widely used cert provider in the world is a significant single point of failure for IT systems all over our planet.

As much as I endorse their services, we MUST build equivalent alternatives in the EU, Asia, Africa, Oceania.

· whalebird · 5 · 59 · 44

@MacLemon

That's why I'm still an advocate of self-signed and self-maintained certs. I'd like to see a web of trust, as for PGP.

@MacLemon
Kind of along those lines...
NTP, an underpinning of pretty much everything, has one guy maintaining it. Or at least it did a couple years ago.
informationweek.com/cloud/infr
One guy!

@MacLemon while I agree that some variety would be nice (if unrealistic: running this is nontrivial, and engineers are expensive), it is not actually a spot: commercial competitors exist.

@MacLemon you mean like Buypass (Norway) and GlobalSign (Belgium/Japan)?
(from en.wikipedia.org/wiki/Automate)
It's just that we don't use them as much as LE :/

@MacLemon The ACME standards are even IETF standards and everything is open source software. The problems seems to be that it is expensive to run a CA at scale, and it is a lot of work to get your root certs included in browsers.

A model where there was an organisation that helps bootstrap and funnel funds to partner organisations that in turn run CAs might work (like torservers does for Tor exit relays).

Every time I think about this though I think about how much trust you can really put into TLS certficates and it makes me really sad. It's not just an issue if Let's Encrypt goes down, imagine if it is compromised, that's a lot of certs that you just then can't trust because you don't know if they were issued correctly. (Having ACME be an IETF standard does help with this because it gets reviewed by smart people, but even smart people can make mistakes.)
Sign in to participate in the conversation
chaos.social

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!