[vonklaus]

We’re pleased to announce that we’ve received cross-signatures from IdenTrust

This is what is wrong with the CA, model, not their method of announcing it to a community anxiously awaiting the arrival of their product. What is absurd is that identrust has a shitty non-responsive 90's looking website and wants $299 for an SSL certificate, which is something that should be free. I will say though, they really did sell me on their trust worthiness with the alternating images of a fingerprint and a lock. So now I know they're legit. It is worth the $99 for SSL on a single site annually because there is binary data superimposed on some of the pictures.

[sgc]

I don't think he was saying they acted poorly by announcing on HN, but that he would prefer to grant someone trust rather than have it forced on him before he even knew about it. Not an easy task for a functional web, but it would obviously be better if possible.

[Natanael_L]

There's many ways, all obnoxiously complex unless you go back to a CA-ish voluntary trust model.

Keys as addresses (I2P, Tor hidden services, CJDNS) fixes a large part of the security problem, then on top of that you can add your choice of address translation. WoT style individualized trust webs? Trusted lists of name assignments DNS style? First-come first-serve á la Namecoin?

[xorcist]

Not necessarily. You could also place domain validated trust in the registrars, to cryptographically verify their delegations. That would build a chain of trust which you in turn could use to validate keys for services in those domains.

[Natanael_L]

That's the DNSSEC+DANE approach and that's still the same as the DNS approach I listed (trusted name registry lists), except that the address isn't an IP-address (or in other words, your domain's DNS server that says what IP addresses your subdomains have is itself identified by a public key).

[bigiain]

Your last three sentences are sarcastic nerd-rage (with which I completely agree), but your boss (not _your_ boss, necessarily, but the more generic/stereotypical "your boss") utters those words in complete earnestness...

[craneca0]

link: https://www.identrust.com/

[gopowerranger]

Nothing you said is a reason for not using Let's Encrypt.

[vonklaus]

To be clear, I am massively excited to use Let's Encrypt and plan on setting up SSL for the first time ever when it launches. I am legit broke so I can't afford to pay a lot of money for someone to have an automated process of:

    gpg --gen-key

I was responding to parent, that announcing trust is a werid quirk of the CA model. TBH, that is correct, but I find it more bizarre Let's Encrypt has to be "trusted" by an unknown company that no one really knows anything about. That is the bit I find weirdest.

[ar0]

Although I loved your sarcastic remarks about the cool pictures, I do want to point out that there are two issues with your argument:

a) There is something else that you know about IdenTrust, and that is that your browser vendor trusts them. This is the whole point of this CA thing: in the end you trust whom your browser vendor trusts (with the option of removing CAs for which you disagree). This is far from perfect (especially since the vendors' vetting process can be quite opaque), but it is not nothing - after all, you should trust your browser vendor, otherwise all the encryption of the world can't save you from someone eavesdropping on your websurfing.

b) Your argument can be read (or misconstrued?) to state that it would be perfectly reasonable to trust IdenTrust if they had a 2015-looking, professional website written in Angular and node instead. Which, of course, is not the case as many who entrusted their money to fraudsters with professional looking websites will be able to attest to.

[vonklaus]

You raise some good points, and I totally agree. The thing is, when the drduh Yosemite guide came out (around the time Google dropped CNNIC) I looked into it a bit. I dropped a ton of certs, mostly international ones (about 40) and the only site that broke was Bing.

> you trust who your browser trusts

Exactly, and my OS. But I run Mac and I am sure Windows users can relate, there are over 200 CAs and I have no idea what heuristics can be used to determine whether they are trustworthy. It wouldn't be a big deal except a compromise at ANY means they could fake ANY website.

Now, on a serious note. If you were running node and you had a super clean react front end with a picture of Jamie lee Miller from hackers super imposed over the ghostbusters symbol (responsive using html5 flex boxes) for sure I would trust you with the security for every website I visit.

I just meant the comment more as idem trust looks like a random rent collector who hasn't updated their business model since 1995. As a broker of trust, I find it disconcerting I know fuck all about them and even if I did, there are hundreds more like that. If you have the money, I don't because I am broke, for sure it would be worth $100 for a padlock when a user hits your site. With nothing more to go on than their site though, it looks like they have been on autopilot for 10 years and I can't wait for Lets encrypt to go live.