[actionfromafar]

There are or were two kinds of people using self-signed certificates. The vast majority used to be "I don't know how or can't afford to get a certificate chain cert."

Now, with letsencrypt, what's left of the "can't afford group" is "I can't be arsed to update my config yet".

[outofpaper]

Just because many people using self-signed certs are at the "don't know" stage isn't a reason to invalidate them.

[actionfromafar]

For IMAP, I'm one of them! :-D

[xg15]

I love how the entire free PKI ecosystem is now relying on one single company.

[nucleardog]

It’s not. There’s LetsEncrypt, ZeroSSL, BuyPass, SSL.com, and Google Trust Services[0]. The ACME protocol is standardized and you can point your client at any of these at any time, and other providers can begin providing certificates at any time. Some tooling[1] even uses other providers by default.

[0] https://acmeclients.com/certificate-authorities/ [1] https://github.com/acmesh-official/acme.sh/wiki/Change-defau...