Hacker News new | ask | show | jobs
by toomuchtodo 3245 days ago
I work in the financial infrastructure space, and while I'm no fan of Symantec, using Let's Encrypt would get me laughed out of the room by compliance and our auditors.

Some checkboxes are ceremony, some have real purpose. One size does not fit all.
3 comments
geofft 3245 days ago
I suspect your auditors have no real reason to object to Let's Encrypt (do they understand that Let's Encrypt is equally capable of issuing a false certificate under your name? does your security rely on the browser PKI? how did every single company in the browser PKI get okayed by your auditors?).

You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.

BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/

link
toomuchtodo 3245 days ago
As you can probably imagine, money isn't an issue. Our budget for our PKI team is larger than a small startup's entire annual payroll cost.
link
tptacek 3245 days ago
The checkboxes you're implicating here are the ceremonial kind. (I do security in the financial infrastructure space, for whatever that's worth).
link
toomuchtodo 3245 days ago
I suppose we'll agree to disagree (RegSCI in this case). Happy to grab a beer if you want to lecture me on how I'm wrong, I try to be open minded.

Whether it's ceremony or not, I have to check the box or face harsh regulatory penalties.

link
tptacek 3245 days ago
Happy to do this over beer, but I'm not sure I understand which of the SCI rules would determine which CA you use.

I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.

link
colinbartlett 3245 days ago
What about Let's Encrypt certificates make them non compliant to your auditors?
link
blibble 3245 days ago
they didn't pay several million dollars to get added to the checklist
link
rocqua 3245 days ago
Maybe they pin to the CA certificate? In that case, it matters how much you trust the specific CA.
link