[castillar76]

It's worth noting here, too, that the vast majority of commercial CAs do not make a lot of money from their public SSL business. The public SSL business is viewed as a loss leader that provides a public profile and security assurance for the company, but most of them make far more money from their private PKI engagements (providing all of the certificates for a company's Active Directory infrastructure, e.g.). As such, Let's Encrypt enhances people's desire for certificates, but doesn't at all compete in the private-CA space where most CAs make bank.

[zymhan]

There's no way that a multi-thousand dollar EV wildcard cert is a "loss leader".

[rpcastagna]

I dunno, if you look at the legacy of DigiNotar it seems like you're dealing with a lot of potential headaches for a couple thousand bucks that your customers hate paying you anyway.

(DigiNotar, of course, famously gave out a fraudulent * .google.com cert and is now defunct.)

As a CA you're assuming a whole lot of liability for not that much money (not that much at the scale of even a small business, anyway), and that just doesn't seem like it'd scale to a wildly profitable venture, especially considering the kinds of people who are actually well equipped to run a CA can probably make a lot more money doing basically anything else in web security. When you add up the contingency risks, the opportunity costs, and whatever actual day-to-day business expenses, it does seem like you'd be looking for other ways to make more comfortable profits.

That doesn't mean CAs should charge more or anything, just that I could accept that SSL certs for standard websites isn't what anyone with a good vision for their business is really trying to hold onto.