|
|
|
|
|
|
by tialaramex
3522 days ago
|
|
|
(Not for ygjb-dupe's interest as I'm sure they know already, but for the sake of the thread) To slightly expand, getting trusted by the key trust stores (laughably pretending to each represent a "Web browser" at CA/B although nobody would mistake Apple or Microsoft for mere web browser vendors) takes far, far too long to be practical as a first step. Mozilla was fastest and they quote 12-24 months typically, whereas Apple and Oracle are both famously slow to react, and might not sign off on Let's Encrypt for years yet to come. Well, Let's Encrypt works today, so how did they do that? There's a way to sidestep the trust stores. An existing trusted Certificate Authority can sign a certificate which instead of saying "This is a web server" says basically "This is another Certificate Authority". Let's Encrypt got theirs signed by Identrust. This is called "cross signing". But of course to get an existing CA to sign your CA certificate they need to be sure you're not going to screw up, because it's their reputation on the line as well as yours. So although this is faster than talking to all the CA/B "browser" members for years, it still needed a lot of hard work by ISRG's team. |
|
|