Hacker News new | ask | show | jobs
by walrus01 39 days ago
Considering the open source nature of Letsencrypt, I wonder what the barriers/costs would be (theoretically) to a wealthy benefactor who wanted to duplicate its server side infrastructure and a core staffing level of persons, and fund a "parallel" equally trusted, alternative entity with a solid governing board. Same general idea how Acton funded the Signal foundation.

Somewhere that none of the physical infrastructure/hosting environment overlapped with existing Letsencrypt stuff so that the failure of one entity would have zero blast radius affecting the other.

I know there's a long and complicated process to go through to become a trusted root CA and get your CA public cert auto-installed in every OS and browser trust store. Indeed in the early days of letsencrypt I recall their root CA certs were signed by other older root CAs.
2 comments
dochtman 39 days ago
A lot of Let’s Encrypt is not the software but a bunch of auditing and process that ensure compliance and make it legible to the required auditors.
link
walrus01 39 days ago
I understand there's probably a big thorny problem of duplicating the corporate process/policies on the human level that ensure compliance, but is the back-end software pipelining stuff to CT logs not also something that can be replicated? Or is it not part of the server side stuff which has been open sourced?

https://letsencrypt.org/docs/ct-logs/

link
phasmantistes 37 days ago
Our code for sending stuff to CT logs is fully open source. But that's the tiniest slice of our compliance regime -- the vast majority of it is things like audit logging certain events, preserving audit logs in specific ways for certain amounts of time, ensuring dual-controls on all systems, being both audited and penetration tested annually, maintaining firewalls and vulnerability scanning tools, etc.

It's absolutely possible to spin up another new CA; lots of folks have done so over the years. But having time, and money, and prior experience all help a lot.

link
computer23 39 days ago
Google has their own free ACME endpoint: https://pki.goog/
link
pseudalopex 39 days ago
They implied it used a GCP account. It would require to give Google personal information, a phone number, and automatic payment permission. And Google not disable your account because your spouse uploaded images for your child's doctor.
link
nijave 39 days ago
ZeroSSL should also be drop in
link
pseudalopex 38 days ago
ZeroSSL advertised for free 3 certificates with no multiple names or wild cards. The next plan was $180 yearly.
link
nijave 38 days ago
Their docs say unlimited free and wildcards are supported with ACME. Does require EAB tho

https://zerossl.com/documentation/acme/

Fwiw haven't used them personally

link