[RndTbl] "Let's Encrypt" by the Internet Security Research Group (ISRG)

[Trevor Cordes]

On 2017-02-05 Hartmut W Sager wrote:
> https://letsencrypt.org/
> 
> They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache,
> Linux, etc., etc., yet they express similar philosophies.  Who are
> they? How credible are they and their effort?  And how does their
> effort compare to other free security certificates?

Like David said, their main thrust is automated deployment.
Unfortunately, in my mind that's that's their biggest downside.  You
*must* use their automated tools: AFAIK they provide no normal
manual/email way to obtain their certs.  That means any processes
you've created in-house to handle certs (like I have) are instantly
incompatible and would require modification.  And it's not just the
cert files, their tools auto-edit apache configs, etc.  Also, I'm not
sure if their tools tie the cert into other SSL-able daemons like
sendmail, or if that's even possible given their cert settings.

Also, they issue certs only for 3 months at a time, which kind of
necessitates their automated tools.

It's kind of funny, they concentrate so much on deployment when I think
the main impediment to most people vis a vis SSL is cost.  They have
the cost thing beat (free) but then they force you into their
proprietary deployment model.

Other than that, I'd say they look legit and benign, and we've talked
about them at MUUG before and everyone seems to agree.  If you don't
run any SSL now and you aren't terribly experienced with it, I see no
downside to using let's encrypt.  If you already have SSL deployed,
do your research before jumping on board just to turn your yearly cost
into "free".

Oh ya, one more good thing about Let's Encrypt: their causing the big
players to lower their low-end cert prices a bit!  That's always good
news.