[halomru]

Punishing CAs for bad behavior (ie Security Problems) has more collateral damage the bigger a CA is. Right now, if a CA is bad enough browsers just stop accepting their certificates. After a certain size that becomes unfeasible, removing a lot of pressure from that CA

[roblabla]

No, browsers don't do that. See how WoSign was distrusted[0]. Basically, they still trusted existing certificates, but stopped trusting new certs (both renewed or brand new). Through this, they kept collateral damage to a minimum, while carrying the CA death sentence.

[0] https://blog.mozilla.org/security/2016/10/24/distrusting-new...

[nsgi]

The trouble is that's only possible with the CA's cooperation, because they have the ability to backdate the certificates by falsifying the date. In the case of WoSign Mozilla threatened to distrust them completely if they did that, but if it's unfeasible to remove a CA that threat may be ineffectual.

[dublinben]

This kind of forgery can be mitigated by requiring all certificates to be published to a Certificate Transparency server upon issuance. You can't backdate a public ledger that is being watched by third parties.

[majewsky]

The pressure will come from the public. If they damage their reputation, people will be less willing to donate, which will pretty directly influence their income stream.

[cm2187]

99% of the public doesn't know what is a CA

[icebraining]

99% of the public doesn't donate either.

[pbhjpbhj]

I'd be amazed of it wasn't at least five-9s, Facebook has 2B users.

[majewsky]

You're underestimating how many web designers and devs are out there. These easily number in the millions.

Also, what grandparent said: "The public", in this case, is people who would donate, of which 100% know what a CA is.

[pbhjpbhj]

Assuming Facebook's numbers represent two-thirds of all web users then I'm saying I'd be surprised if LetsEncrypt have more than 30,000 donors.

If we're quibbling about "the public" then the GP comments only make sense if "the public" means "people who aren't IT professionals", in which case I'd warrant that there are far fewer donors than 30k who aren't IT professionals, indeed it's got to be ~0.

Can't see donor details on the LE pages though? Mind you at approx.av.300k certs issued daily (https://letsencrypt.org/stats/) I concede I could easily be orders of magnitude out in my guesswork.