| I worked on Let's Encrypt and I think Let's Encrypt is definitely not a NOBUS. However, exposure to certificate misissuance risk, including intentional misissuance demanded by a government, is based on relying parties (users) accepting a particular CA, not based on subscribers (web sites) choosing to use that CA. If your site's users trust signatures chaining up to the Let's Encrypt X1 root, there is nothing you can do to stop those users from accepting any potentially-false certificates for your site issued under that root, even if you had nothing to do with the issuance of those certificates. A famous example of this is the DigiNotar and Comodo attacks, where someone who wanted to help the Iranian government spy on people caused misissuance of certificates for the domains of some major web sites. Those web sites were not customers of DigiNotar or Comodo, but the attacks worked anyway. In the NOBUS scenario, some part of the U.S. government decides to exploit its jurisdiction over Let's Encrypt (or one of the dozens of other publicly-trusted CAs located in the United States). (Edit: or, it contrives to get insiders working in those CAs to help it bypass their issuance rules and safeguards.) Just as with the DigiNotar and Comodo attacks, this attack would work regardless of whether the target web site is a Let's Encrypt subscriber or not, as nothing technically prevents Let's Encrypt or other U.S.-based CAs from misissuing certificates for any domain name whatsoever. CAA doesn't stop this because the CAA standard specifically says that CAs should check it for issuance, but browsers should not check it when accepting a certificate. (One reason for that is that the CAA records could change over time, so a CAA record could have permitted issuance when issuance took place, even if it doesn't permit it now.) CT makes it possible to detect this, regardless of what jurisdiction the misissuing CA is located in or what the reason for the misissuance is, if the subscriber is monitoring CT. Thanks, CT inventors! In conclusion, although it's somewhat counterintuitive, even if you fear that the U.S. government will try to attack your users through the PKI system, you could choose to use a U.S.-based CA, without significantly increasing the risk of an attack. There is also a publicly-trusted CA based in Norway which offers free certificates using the same protocol as Let's Encrypt, so you can use the same client software with it: https://www.buypass.com/products/tls-ssl-certificates Their free certificates are more limited in various ways than Let's Encrypt's, but if you're running a single site, they should work great. I would fully agree with the original author that CAs should be held to more scrutiny, that it's kind of sad that they typically can't provide extremely high-assurance or meaningful verification, that other systems for encryption and authentication are useful for their own purposes, and that it would be good to have more alternatives to Let's Encrypt based in more jurisdictions. |