[AusNOG] Lets Encrypt

Matt Palmer mpalmer at hezmatt.org
Wed Nov 19 14:46:01 EST 2014 

On Wed, Nov 19, 2014 at 10:38:41AM +1000, Colin Stubbs wrote:
> @Ernie, it won't in the short term, and may not at all.
> 
> That's for a lot of reasons, but mostly because they havn't described the
> limitations that will be applied to free certs.
> 
> e.g. will they issue Extended Verification certs for free? Probably not.

Definitely not.

> e.g. will they issue wildcard certs for free? Probably not.

That's a bit up in the air.  In theory, if you can demonstrate control over
the DNS for the domain, there's no reason not to be able to get a wildcard
cert.  Heck, the DNS-based mechanism for validation in ACME doesn't actually
preclude validating the wildcard name.

That being said, there's far less reason to need a wildcard cert as SNI
moves towards being universally supported.  With near-instantaneous
issuance, even the remaining reasons for needing a wildcard (SaaS platforms
offering <customer>.example.com) become less of an issue.

> e.g. will you be able to customise the alternative names list for free?
> Probably not.

Yes, you can.  ACME has support for requesting a certificate containing
multiple subjectAltName entries, as long as you've demonstrated control of
all of the names you want listed.

> e.g. will you be able to customise the validity period for free? Probably
> not.

That's actually kind of irrelevant, because part of the lets-encrypt tool
that is being posited is that it'll automatically handle renewal.

One thing I think you might not have picked up on is that LE is run by a
non-profit entity; while that doesn't preclude them from charging for
services, it certainly removes most of the motive for offering "upsell"
opportunties, like most CAs do.

> As the vast majority of people involved in requesting and using
> certificates don't know there are alternatives now, they won't know Let's
> Encrypt exists after it launches, at least for a year or two. The way your
> average IT monkey thinks, particularly within large enterprise, will also
> mean they'll continue to go to Verisign/etc for quite some. Some of the
> large corps I deal with still actually just buy their certs from GoDaddy :-(

There is that.

> It'd be nice see their certificate management agent integrated into network
> router/switch/firewalls/etc in some way, although the verification process
> would still probably need input in some way.

The ACME protocol is designed to be entirely hands-off; assuming that the
router/switch/firewall can demonstrate control over a name (and there's a
couple of cute new schemes in the draft RFC that don't need e-mail or DNS)
then there's no reason why those devices couldn't automagically get
certificates for themselves.

- Matt

-- 
"I have a cat, so I know that when she digs her very sharp claws into my
chest or stomach it's really a sign of affection, but I don't see any reason
for programming languages to show affection with pain."
		-- Erik Naggum, comp.lang.lisp

More information about the AusNOG mailing list