I am from Mozilla, and the replies here are exactly right. From the perspective of the Mozilla root CA program, Let's Encrypt will be treated as any other applicant, should they choose to apply. No "immediate acceptance", no "less audited" -- same audit requirements and application process as everyone else.
--Richard Sent from my iPhone. Please excuse brevity. > On Nov 20, 2014, at 02:45, Matt Palmer <[email protected]> wrote: > >> On Thu, Nov 20, 2014 at 08:27:37PM +1300, Peter Gutmann wrote: >> Mark Atwood <[email protected]> writes: >>>> On Tue, Nov 18, 2014, at 11:25, Salz, Rich wrote: >>>> Initial drop of code and specs available here: >>>> https://github.com/letsencrypt >>>> >>>> From https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html : >>> >>> So Mozilla et al have been giving CAcert the runaround for over 4 years now, >>> and then suddenly they create a more centralized less audited "Let's >>> Encrypt" >>> shows up, and it's welcomed into the root? >>> >>> How... interesting. >> >> That was my immediate reaction as well. CACert has been given the runaround >> for more than just four years, it's been more than a decade, and yet as soon >> as a Mozilla-sponsored CA turns up it's in. >> >> Perhaps someone from Mozilla would be able to explain what the difference is >> that gets Let's Encrypt immediate acceptance while CACert has been left out >> in >> the cold for more than a decade. > > Well, I'm not from Mozilla, but I've taken a close look at how this is all > going to work (as much as can be determined at this early stage). Hopefully > I've got some useful info to add. > > Let's Encrypt isn't getting into "the root" of anywhere. They're apparently > getting an intermediate CA cert from IdenTrust, which will be declared and > brought under the same audit regime as the rest of IdenTrust's CA hierarchy. > I've heard mutterings that eventually they want to run their own root, but > that'll take at least a year to go *anywhere*. > > Being granted some sort of magical benefit by Mozilla wouldn't help LE > *anyway*, because they'd still need to get into Microsoft, Apple, and > Android's trust stores, at a minimum, to get even close to what they want to > achieve. Trying to make this out as some sort of conspiracy by Mozilla > against CAcert isn't helpful to either organization -- and it isn't as > though CAcert has managed to get into any other major OS' trust store, > either, so it isn't as though Mozilla *alone* has something against CAcert. > > - Matt > > -- > There is no finite resource poor policy making can't make scarce. > -- David Conrad, in NANOG > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
