[Ayesh]

Shitpost: https://bugzilla.mozilla.org/show_bug.cgi?id=647959

Running a CA is not easy, and getting your root certificates included in trusted roots is even harder.

For the technical aspects of it, you will need an HSM for the root certificates generated, OCSP servers, a CRL mechanism, and the signing server. Many enterprises already run their own private CA, and there are plenty of free and open source software.

The difficult part is convincing root CA programs. Mozilla, Google, and Apple would be the start, but I suppose Curl/Java/Debian (which sync with Mozilla) will take some time to catch-up too. You need to be audited (by firms like KPMG and they don't come cheap), and they expect a certain level of transparency.

Why would you want to become a CA in the first place? Amazon and cpanel are root CAs that issue certificate for free. LetsEncrypt is free and issues certificates to everyone. I don't think there's any financial profit to be made anymore.

[a1369209993]

> Shitpost: https://bugzilla.mozilla.org/show_bug.cgi?id=647959

> The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money.

Well, they're more honest than any current certificate authority.

[nurettin]

> LetsEncrypt is free and issues certificates to everyone

When using free providers, you will notice that the issued to -> organization field will be empty. Free providers do not compete with company validating trust authorities. They are just developer tools.

[deadbunny]

What nonsense. Extended validation schemes are snake oil peddled by CAs to make more money.

[nurettin]

It is all nonsense until money is involved and customers want to know that the advertised website actually belongs to your legal entity.

[dividuum]

Does not help in any real way. See https://arstechnica.com/information-technology/2017/12/nope-... for an example.

[mehrdadn]

There's a huge difference between "it isn't impossible to bypass" and "does not help in any real way".

[dividuum]

The only reason to get EV certs is the supposedly "safe" green organization field. As demonstrated it can be circumvented by anyone with minimal monetary motivation. Why even bother in that case? I rate that as "does not help in any real way".

[nurettin]

I pointed out that letsencrypt does not compete in the same space with some providers and I get responses from internet freedom activists who don't want to acknowledge the fact. If shit is broken and doesn't work, you don't use it to make a point, you go fix it.

[Ayesh]

> They are just developer tools

A CA is a CA. A developer tool would be you signing certificates with your own private CA. LetsEncrypt is often better as they support must-staple, CT timestamps in certificates themselves, and ECDSA leaf certificates support.

The snakeoil pitch would have worked 3-4 years back when browsers shows a big yellow label in address bar, but as of now, they all look the same regardless if its a DV, OV, or EV certificate unless you click your way through the certificate information.

[toast0]

You might notice that, but very few other people do.

[bassman9000]

No one, other than us, cares about that.