[bawolff]

Wow. Traditional CAs are such a rent seeking business :(

[jaas]

As the person who negotiated the agreements between Let's Encrypt and Identrust I can tell you that they have provided valuable services, including but not limited to cross-signs. I would not describe it as rent seeking.

We are sincerely glad to have them as partners, and grateful for their contributions to helping get Let's Encrypt going. We could not have done what we did without them. Running a publicly trusted CA is not easy, and cross-signing others involves work and liability, particularly if the entity asking for a cross-sign is an upstart with a strange plan and little to no experience running a CA.

[profmonocle]

Cross-signing a CA is many orders of magnitude more work than signing a single domain leaf cert. Sure, on a technical level the result is similar - a signed X.509 cert, just with the "CA" flag set to true, but it's a very different proposition.

Imagine if a CA cross-signed some new, upstart CA to get them browser compatibility (like IdenTrust did for LE), and then the new upstart went rogue and started issuing phony certs for google.com, wikipedia.org, etc. on behalf of [insert totalitarian nation here] state security. Those certs would chain up to the cross-signer's root, and they're responsible for it. They could face removal from root programs if they were reckless about cross-signatures.

So if a root CA wants to cross-sign a new CA, they need to make sure that the new CA follows the same policies and gets the same audits as a root CA, because their ability to break things will be basically equivalent to a root CA.

Honestly, <$500k for all the admin work on this sounds reasonable to me. It probably took a huge portion of several people's time throughout the year.