15 04 | 2016

Let's Encrypt: threat or opportunity to other certificate authorities?

Written by Tanguy

Classified in : Homepage, Debian, Command line, Miscellaneous

Let's Encrypt is a certificate authority (CA) that just left beta stage, that provides domain name-validated (DV) X.509 certificates for free and in an automated way: users just have to run a piece of software on their server to get and install a certificate, resulting in a valid TLS setup.

A threat to other certificate authorities

By providing certificates for free and automatically, Let's Encrypt is probably a threat a other CAs, a least for part of their activity. Indeed, for people that are satisfied with DV certificates, there are not many reasons to pay a commercial CA to get certificates in a non-automated way. For the CAcert non-commercial CA, that may mean a slow death, as this is their main activity¹.

For people that want organization-validated (OV) or extended validation (EV) certificates, Let's Encrypt is not suitable, so it will not change anything regarding that.

An opportunity for the most reactive

The entrance of Let's Encrypt is also a significant opportunity for the certificate authorities that will be reactive enough to take advantage of their innovation. Indeed, they introduced automation in both domain name validation and certificate issuance (and revocation), by defining an open protocol that is meant to become an Internet standard. That protocol, named ACME, is not tied to Let's Encrypt and has several free software implementations, so it could be used for the same purpose by commercial CAs.

A certification authority could, for instance:

  • ask the customer to provision some pre-paid account;
  • manually validate the customer's identity once;
  • allow the customer to register using ACME, and associate that registration to his validated identity;
  • allow the customer to get organization-validated, or perhaps even extended validation certificates using ACME, and making corresponding debits to his pre-paid account.

Such processes may require or benefit from improvements of the ACME protocol, which is the very reason Internet standards are defined in an open way.

The first certification authority that would implement such a process could gain an advantage over its competitors, as it would greatly simplify getting and renewing certificates. I think even Let's Encrypt people would be happy to see that happen, as it would serve their goal, that is basically to help securing the Internet! Personally, I could buy such a service (assuming it is not restricted to juridical persons, according to a quite common (and detestable) sale discrimination against natural persons²).

Notes

  1. CAcert is an unrecognised certificate authority, that provides an identity validation through a web of trust, and issues DV server certificates that do not include the validated identity. Now that Let's Encrypt can issue valid DV certificates, CAcert is no longer relevant for that activity. It also issues personal certificates, that do include the validated identity, and that can be used for encryption (e.g. S/MIME), signing (e.g. code signing) or authentication, which is an activity Let's Encrypt does not compete with.
  2. Yes, the Organization field of a certificate is probably not relevant to indicate a physical person's name, but the CommonName field is. Yes, that field is usually abused to store the domain name, but a proper use would be to put the owner's name in the CommonName field, and the domain names in the subjectAltName field.

3 comments

friday 15 april 2016 à 16:45 Martin said : #1

I desperately need wildcard certificates for one of my sites. I hope that LE will support them at some point.

friday 15 april 2016 à 16:59 Tanguy said : #2

@Martin: Apparently, they do not plan to, but they do not exclude that possibility either. I wonder what you could be doing that requires that, but anyway, this is a perfect example of a service a commercial CA could provide using the ACME protocol!

friday 15 april 2016 à 20:10 Chris Siebenmann said : #3

In the short term, I think that commercial CAs will be mostly unaffected due to the short duration of LE certificates. In the long run a lot of software will probably handle them automatically, but for now you have to put together an automation solution for it and it's easier (and potentially less time) to just pay <X> to a commercial CA for a N year certificate.

There's also an existing commercial CA that offers free DV certificates, and they don't seem to have killed the businesses of the other CAs. This isn't quite the same setup as LE because LE has automated issuing (which is much nicer than wrestling with a CA's terrible website), but it does suggest that many certificate buyers are not that price sensitive.

Write a comment

What is the last letter of the word vhpmp? : 

Archives