Hacker News new | ask | show | jobs
by mcpherrinm 702 days ago
x.509 is a certificate format used by many PKIs.

Let's Encrypt is a CA that is part of the WebPKI.

We follow standards set by the CA/B forum, undergo WebTrust Audits, and are accepted into the root programs run by the browser vendors (Primarily: Apple, Mozilla, Microsoft, and Chrome). That is the WebPKI.
1 comments
eqvinox 702 days ago
Are you implying Let's Encrypt certificates should not be used for non-HTTP services?
link
mcpherrinm 702 days ago
I am not implying that, but merely defining what the WebPKI is and where we fit into it.

Let's Encrypt's primary goal is to encrypt the web, and most of our decision making is based on that. It isn't so much about HTTP as it is the ecosystem.

You can use our certificates for any TLS Server use-case. I wouldn't suggest using our certificates for things which aren't TLS servers, though.

link
eqvinox 701 days ago
Thanks for the clarification. I guess I'll have to find a few friends to run an ACME service together with. Unfortunately, in most cases the certificate store is global across applications, so presumably we'll hit a brick wall with browser requirements.

(The services are all TLS based. They are just not HTTP based, and CRLs are generally delivered via HTTP. And I'm not going to wrangle a HTTP client into my mail server, or worse, postgres instance. The latter could also work with a local CA, it's primarily SMTP that doesn't.)

(...or I just ignore revocation and cross my fingers it'll never come up...)

link
eqvinox 701 days ago
Wait. What. Let's Encrypt CRLs are only available to browser vendors? So you can't even do a CRL check in an SMTP server if you wanted to?

> Our new CRL URLs will be disclosed only in CCADB, so that the Apple and Mozilla root programs can consume them without exposing them to potentially large download traffic from the rest of the internet at large.

https://letsencrypt.org/2022/09/07/new-life-for-crls.html

link
mcpherrinm 701 days ago
That’ll change with OCSP depreciation, as certificates are required to contain one or the other of OCSP or CRLs.
link
nickf 702 days ago
What non-HTTP services need publicly-trusted certificates and care about revocation?
link
formerly_proven 702 days ago
mail
link
nickf 702 days ago
Like SMTP/IMAP etc? That would make sense, though I'm not sure how much revocation checking even happens there.
link
eqvinox 702 days ago
OCSP stapling: free feature of TLS library, works

OCSP must-staple: free feature of TLS library, works

plain OCSP: hit & miss, depends on the client software using the TLS library correctly

CRL: no.

… that's the crux of this entire thread.

link