[Cryptography] Apple's 13-month certificate policy
John Levine
johnl at iecc.com
Sun Feb 23 13:37:02 EST 2020
In article <7CADC833-73CB-440F-9B50-3A69B2909A0F at lrw.com> you write:
>> ACME works great for Let's Encrypt, but I expect it'll work less great
>> for CAs that want people to pay. There's no techical problem to take
>> a payment out of an account when they do a renewal, but I expect it'll
>> be a business problem to persuade customers either to prepay a balance
>> or trust some random CA reseller with their credit card info.
>This is a very telling comment, for anyone to whom it actually applies: They are willing to trust their CA to attest to
>their identity to everyone with whom they do business - who in turn must trust that attestation - but their credit card info
>... well, no. Rather revealing of what the CA business actually is.
It's slightly more than that. Back when I was paying for certs, I'd
pay $9 to some random reseller like cheapssls who would then pass me
to Comodo or Geotrust to generate the cert. I trusted cheapssls
enough to do a one-time transaction, but not enough to let them charge
me whenever they wanted. I probably would have trusted Comodo or
Geotrust, but they'd only do it at list price which was about 10x
more.
I agree that whatever the original plan was for CAs (see Phill's notes
about being secure enough to match the credit card threat model) it's
a house of cards now.
R's,
John
More information about the cryptography
mailing list