[tialaramex]

I don't think anybody at Let's Encrypt has spoken on this topic, but in their case specifically there are both moral and pragmatic reasons to choose to cross-sign.

Morally is the easy one. If you work for a public CA you presumably think that the Web PKI is a good idea, and Let's Encrypt helped bring that benefit to lots more users, so that's a good thing. Consider the question of whether McDonalds should support a local soup kitchen. McDonalds thinks food helps bring people together, so why not?

Pragmatically, there are a number of benefits to Let's Encrypt for a commercial CA. It creates a "brand halo" for the "SSL Certificate" product class that you benefit from, where positive experiences with Let's Encrypt result in more customers for you. Growing the market means more opportunities for you as a seller. I see some misleading analysis of the "SSL Certificate" market that doesn't include "Does not have a cert" as one of the options. So they see Let's Encrypt crushing other outfits and assume that's got to hurt profits. But a site that goes from nothing to a Let's Encrypt cert makes no difference to sales at the for-profit CA. Even if 100 sites do that, if just one copies them but chooses to buy a cert, that's an extra sale they would not make otherwise.

[blattimwind]

AIUI IdenTrust was set-up as a sort of self-servicing entity by banks mostly for banks and their clients, so IdenTrust probably doesn't really care too much about classic web CA business.

[xnyan]

I was going to add this. The choice of IdenTrust was not an accident. It was and is a very reputable CA but for banking reasons and so is not threatened by LA's entry into the market.

[castillar76]

It's worth noting here, too, that the vast majority of commercial CAs do not make a lot of money from their public SSL business. The public SSL business is viewed as a loss leader that provides a public profile and security assurance for the company, but most of them make far more money from their private PKI engagements (providing all of the certificates for a company's Active Directory infrastructure, e.g.). As such, Let's Encrypt enhances people's desire for certificates, but doesn't at all compete in the private-CA space where most CAs make bank.

[zymhan]

There's no way that a multi-thousand dollar EV wildcard cert is a "loss leader".

[rpcastagna]

I dunno, if you look at the legacy of DigiNotar it seems like you're dealing with a lot of potential headaches for a couple thousand bucks that your customers hate paying you anyway.

(DigiNotar, of course, famously gave out a fraudulent * .google.com cert and is now defunct.)

As a CA you're assuming a whole lot of liability for not that much money (not that much at the scale of even a small business, anyway), and that just doesn't seem like it'd scale to a wildly profitable venture, especially considering the kinds of people who are actually well equipped to run a CA can probably make a lot more money doing basically anything else in web security. When you add up the contingency risks, the opportunity costs, and whatever actual day-to-day business expenses, it does seem like you'd be looking for other ways to make more comfortable profits.

That doesn't mean CAs should charge more or anything, just that I could accept that SSL certs for standard websites isn't what anyone with a good vision for their business is really trying to hold onto.