[Cryptography] letsencrypt.org
Viktor Dukhovni
cryptography at dukhovni.org
Thu Sep 14 02:23:55 EDT 2017
> On Sep 13, 2017, at 9:50 PM, John Levine <johnl at iecc.com> wrote:
>
>> Given their reasonably clear and transparent practices, I'd
>> be pleased if they became the *only* non-EV CA on the market.
>> The price is right, and the security is about as good as it
>> gets with DV. The commercial CAs can then focus on properly
>> verifying the minority of customers who need EV certs.
>
> This is the crux of the matter. Everything that is wrong with LE is
> also wrong with the other DV providers, and LE is cheaper and appears
> quite competent.
Yep, nice to see that you concur...
> PS: It occurs to me that LE makes the case for DANE a lot weaker.
If the case for DANE were the price of CA certificates, then indeed
you'd be right. For me the case for DANE is not the price.
* DANE is a more secure DV, since there's no leap of faith, the
keys are published via the login account that controls the domain.
* DANE supports downgrade resistant policy signalling for opportunistic
TLS, which is well suited to SMTP.
But we digress...
--
Viktor.
More information about the cryptography
mailing list