[RndTbl] "Let's Encrypt" by the Internet Security Research Group (ISRG)

Kevin McGregor kevin.a.mcgregor at gmail.com
Sun Feb 5 20:42:44 CST 2017 

Well, Let's Encrypt is a service provided by the Internet Security Research
Group <https://en.wikipedia.org/wiki/Internet_Security_Research_Group> (ISRG),
a public benefit <https://en.wikipedia.org/wiki/Public_benefit> organization.
Major sponsors are the Electronic Frontier Foundation
<https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation> (EFF),
the Mozilla
Foundation <https://en.wikipedia.org/wiki/Mozilla_Foundation>, OVH
<https://en.wikipedia.org/wiki/OVH>, Akamai
<https://en.wikipedia.org/wiki/Akamai_Technologies>, and Cisco Systems
<https://en.wikipedia.org/wiki/Cisco_Systems>. Other partners include the
certificate authority IdenTrust <https://en.wikipedia.org/wiki/IdenTrust>,
the University of Michigan
<https://en.wikipedia.org/wiki/University_of_Michigan> (U-M), the Stanford
Law School <https://en.wikipedia.org/wiki/Stanford_Law_School>, the Linux
Foundation <https://en.wikipedia.org/wiki/Linux_Foundation>[18]
<https://en.wikipedia.org/wiki/Let's_Encrypt#cite_note-ISRG-LF-18> as well
as Stephen Kent from Raytheon <https://en.wikipedia.org/wiki/Raytheon>/BBN
Technologies <https://en.wikipedia.org/wiki/BBN_Technologies> and Alex
Polvi from CoreOS <https://en.wikipedia.org/wiki/CoreOS>.

So... How far do you trust any or all of the above?

On Sun, Feb 5, 2017 at 7:58 PM, Adam Thompson <athompso at athompso.net> wrote:

> Yes, the automation is the whole *point* of LetsEncrypt.
> As you say, the main impediment is cost, which is why they're free - but
> in order to sustain that cost structure, manual processes must be excised
> completely and utterly.  The 90-day lifetime is a compromise between
> convenience and security - even if your cert is compromised somehow (say
> because of badly-implemented automation tools), the compromise is only
> relevant for 90 days.
> Obviously, LetsEncrypt isn't going to be issuing and high-assurance
> certificates; their goal is simply to get *everyone* to encrypt, to
> eliminate the cost issue as an excuse.
> Many people much smarter than I have complained that the biggest problem
> with LetsEncrypt is that they appeared at exactly the wrong time; that
> their existence will cause the entire (badly broken) PKI system to *not*
> simply fall into disuse now, which was otherwise being predicted as a near-
> to medium-term consequence of its fundamental brokenness and multiple
> compromises.
> I'm already using LetsEncrypt certificates in a couple of places, where I
> don't care about the "quality" of the certificate; it's automatically
> "better" than a self-signed certificate unless you're both extremely
> cautious AND inhumanly diligent.
> For me, it's more a convenience tool to get rid of the browser's warning
> page upon encountering a self-signed cert.
> Note also that LetsEncrypt certificates, unlike self-signed certificates,
> work with opportunistic TLS in SMTP.
> -Adam
>
> > -----Original Message-----
> > From: Roundtable [mailto:roundtable-bounces at muug.ca] On Behalf Of
> > Trevor Cordes
> > Sent: February 5, 2017 16:35
> > To: roundtable at muug.ca
> > Subject: Re: [RndTbl] "Let's Encrypt" by the Internet Security Research
> > Group (ISRG)
> >
> > On 2017-02-05 Hartmut W Sager wrote:
> > > https://letsencrypt.org/
> > >
> > > They don't seem to be part of the usual gang - FSF, GNU, GPL, Apache,
> > > Linux, etc., etc., yet they express similar philosophies.  Who are
> > > they? How credible are they and their effort?  And how does their
> > > effort compare to other free security certificates?
> >
> > Like David said, their main thrust is automated deployment.
> > Unfortunately, in my mind that's that's their biggest downside.  You
> > *must* use their automated tools: AFAIK they provide no normal
> > manual/email way to obtain their certs.  That means any processes
> > you've created in-house to handle certs (like I have) are instantly
> > incompatible and would require modification.  And it's not just the cert
> > files, their tools auto-edit apache configs, etc.  Also, I'm not sure if
> their
> > tools tie the cert into other SSL-able daemons like sendmail, or if
> that's
> > even possible given their cert settings.
> >
> > Also, they issue certs only for 3 months at a time, which kind of
> > necessitates their automated tools.
> >
> > It's kind of funny, they concentrate so much on deployment when I think
> > the main impediment to most people vis a vis SSL is cost.  They have the
> > cost thing beat (free) but then they force you into their proprietary
> > deployment model.
> >
> > Other than that, I'd say they look legit and benign, and we've talked
> > about them at MUUG before and everyone seems to agree.  If you don't
> > run any SSL now and you aren't terribly experienced with it, I see no
> > downside to using let's encrypt.  If you already have SSL deployed, do
> > your research before jumping on board just to turn your yearly cost into
> > "free".
> >
> > Oh ya, one more good thing about Let's Encrypt: their causing the big
> > players to lower their low-end cert prices a bit!  That's always good
> news.
> > _______________________________________________
> > Roundtable mailing list
> > Roundtable at muug.ca
> > https://muug.ca/mailman/listinfo/roundtable
>
>
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20170205/1ea48520/attachment-0001.html>

More information about the Roundtable mailing list