Hacker News new | ask | show | jobs
by theandrewbailey 534 days ago
> Maybe the cert issuing chain needs to be looked at for its risks

HN is using Let's Encrypt, and so are about a third to half the sites on the internet at this point. If there's an issue with Let's Encrypt, the people on/running this site would know.
1 comments
ggm 534 days ago
The people who will act are the let's encrypt people, in how they select algorithms for the CA chain. I wouldn't expect this site to have to do very much but I would expect to see some public communications from letsencrypt. Which, I am not seeing. Hence some evidence to back my pqc scepticism.

https://community.letsencrypt.org/t/preparing-for-quantum-sa...

Like I said, more frequent certificate reissuance probably covers it. It would be changing a timing parameter in the config and resetting some options in an orderly upgrade not a massive lift and drag to another place.

link
altairprime 534 days ago
Let’s Encrypt is focusing on other concerns next year but noted that donations are what funds their ability to progress:

https://letsencrypt.org/2024/12/11/eoy-letter-2024/

As with any donation-supported venture, their ability to consider “someday” concerns is directly tied to donations and sponsorships. Reading between the lines of the recent revocation shutdown, I estimate their operating budget does not have room to consider PQC, when they have more pressing concerns to focus on.

So, their disinterest in PQC does not likely inform on whether others should do PQC or not; to each their own risk assessments, etc.

link
Azerty9999 533 days ago
What is addressed recently by NIST, Cloudflare, Google, Apple, and others primarily involves potential(?) weaknesses in TLS key exchange & asymmetric cryptography. Let's Encrypt is more about certificates, I think, no?
link
ggm 533 days ago
The cert gives assurance the right endpoint has been reached to bootstrap tls. So arguably its part of the attack surface. The tls key exchange may not have direct dependency but it has some indirect? Clearly the on the wire pki used to establish emphemeral session keys would be the main issue and that is down to the webserver and browser not letsencrypt.
link