| I agree that ACME alone is not the issue, so many of the criticisms I would levy against it apply equally well to other, more proprietary interfaces that the other CA's use (and I do commend ISRG for taking the open and transparent route). For that matter, are existing CA's required to undergo frequent security scans/reviews of their interfaces, both browser-based and otherwise? Do we know that their websites pass even the most basic pen-tests? As the bad guy, I hope the answer is no. Personally I see ease and ubiquity as more appealing than the cost. It's easy and cheap to get a stolen credit card number so cost isn't much of a deterrent to the bad actor. But you'd still have get one so a free cert is an easy cert and, thus, more appealing. (You might want to dust off your popcorn machine in case we need it.)
On Tue, Jun 28, 2016 at 09:52:59PM -0500, Peter Kurrasch wrote:
> At issue is the degree to which automation is featured in the operating > model of the Let's Encrypt CA. Fast, easy, cheap, and with little > chance for human intervention or oversight...that's a recipe for abuse. Every CA that I've ever used automates DV issuance. My DV certs always seem to turn up within a minute or so of validating them -- no way a human is consistently doing meaningful checks in there. ACME isn't the issue either; most other CAs have (hideous) APIs to make requests automatic. The only difference here between LE and every other CA is that issuance from LE is free. While it's not a meaningful speedbump for the modern criminal, it does at least mean they've got to find a stolen CC. Personally, I'd love to have the popcorn concession on a discussion about whether to require payment for DV certs; I could retire on the proceeds. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
