[Cryptography] Why Alexander Hanff won't be using "Let's Encrypt"

Phillip Hallam-Baker phill at hallambaker.com
Thu Dec 4 09:34:27 EST 2014

On Wed, Dec 3, 2014 at 2:00 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Wed, Dec 3, 2014 at 7:09 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
>> 'It is an insane strategy by all parties involved - it removes all
>> confidence in TLS certificates as far as I am concerned and I will
>> absolutely not be using the service and have to strongly recommend others
>> refrain from doing so as well.'
> This is a silly argument. It presumes Let's Encrypt is going to have a
> bigger problem with misissuance than commercial CAs. Turns out that
> commercial CAs are good at misissuing certificates too.
> Whether or not misissuance will be a big problem with Let's Encrypt remains
> to be seen, but it's always been a problem with the CA system, and Let's
> Encrypt probably isn't going to change that. Can they do any worse than,
> say, DigiNotar?

Well they seem to be making a push to remove the most important CA
operational criterial which is the insurance requirement.

When I worked with Michael Baum, Warwick Ford and Michael Myers at
VeriSign we established a system that was designed to provide a
demonstration that a CA was demonstratively in compliance with its
certificate policy. One aspect of that was audit, but audit is
actually a fairly weak requirement on its own as the existence of
corrupt audit firms like Arthur "Enron-Deloran-Sunbeam' Anderson.

Putting the insurance requirement in was a meta control on the audit
control. The reason insurance makes a difference is that the insurer
has skin in the game while the auditor does not. There is no penalty
for a sloppy audit but an insurer could be out a lot of money in the
case of a failure.

In the event DigiNotar failed in a manner that was not anticipated by
our original architecture which was to provide a commercial service to
enable e-commerce. Government actors were not considered in the design
and at the time most people thought that we were being overly
paranoid. Which given the number of failures since, we probably were.
The browser providers find a security bug in their code every week. CA
misissue is much rarer, so rare in fact that they decided they didn't
need to bother with the revocation/status controls.

One consequence of the manner in which DigiNotar was breached is that
the company was shut down and put into bankruptcy through government
decree. As a result the insurance controls were never activated, there
wasn't time.

The bigger problem with LetsEncrypt is understanding their finances
and whether they can support free certificates at Internet scale. And
while the marginal cost of issuing a certificate is negligible, the
fixed costs are far from negligible. It does not cost Intel very much
to run raw silicon through their fab. The biggest variable cost in a
chip is actually the carrier. But I just paid $500 for one of those
chips because Intel has to recoup the multi-billion dollar cost of
development and the fab.

Open source software works fine because a billion times zero is zero.
A billion times a 'negligible' cost starts to add up. Which is why
open services tend to be free on introduction and gradually become
limited and paid. My Verizon modem lets me subscribe to one of five
built in 'free' dynamic DNS providers. Guess what, none of them is
free any more for an unrestricted service. I have to keep renewing my
account every 30 days to get free.

More information about the cryptography mailing list