[Cryptography] New free TLS CA coming
pzbowen at gmail.com
Thu Nov 20 02:55:55 EST 2014
On Wed, Nov 19, 2014 at 11:27 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Mark Atwood <me at mark.atwood.name> writes:
>>So Mozilla et al have been giving CAcert the runaround for over 4 years now,
>>and then suddenly they create a more centralized less audited "Let's Encrypt"
>>shows up, and it's welcomed into the root?
> That was my immediate reaction as well. CACert has been given the runaround
> for more than just four years, it's been more than a decade, and yet as soon
> as a Mozilla-sponsored CA turns up it's in.
> Perhaps someone from Mozilla would be able to explain what the difference is
> that gets Let's Encrypt immediate acceptance while CACert has been left out in
> the cold for more than a decade.
I am not from Mozilla, but there have been postings in several forums
that answer this. The short answer is Let's Encrypt is not getting
special treatment from Mozillla. They are planning to start as CA
that is subordinate to the IdenTrust (DST) root and then apply for
acceptance into all browsers using the normal processes. Presumably
this means they will have to pass the same WebTrust for CA and
WebTrust for BR audits other CAs have to pass.
According to Ian Grigg, who was the independent auditor for CAcert,
they chose to not ask Mozilla to include CAcert in the Mozilla list of
trusted roots (https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158).
More information about the cryptography