Let's Encrypt certificate authority signs first cert Let's Encrypt, a free automated open-source certificate authority (CA), has signed its first certificate – leading the Electronic Frontier Foundation (EFF) to celebrate "an important milestone in our march to encrypt all of the Web." Announced in 2014, the companies behind Let's Encrypt intended to encourage the world's …
What it needs is a tech-savvy *cough*, popular *cough*, well-respected *well, two out of three, anyway...* tech news site as a client to really get the ball rolling...
...
*sigh*
The reg doesn't need it anymore. Anyone who was interested in the readership back when we were all new already has your un-encrypted Register username, password, name, address, email and telephone. Now there is no value in us. We whine too much.
"What's stopping you now?"
Sigh, I suppose it has to come out sooner or later.
They can't set up a proper https site because the last person working for El Reg who understood anything about computers quit in 1998. The remaining hacks don't know which one is the web server, and haven't got the admin password for it in any case.
The whole site is basically written through a heavily-modified version of Wordpress, using a series of automated chat bots - Andrew Orlowski is specifically programmed to talk about IP if it hasn't been mentioned for 60 lines or 47 minutes, whichever is the shorter. Lewis Page-bot simply collects any 3 random articles from the front page of the Heartland Institute and mixes them together. Gavin Clarke is just a rejected custom re-skin of Siri for the Melanesian budget phone market. And Trevor Pott is actually Trevor Pott.
This post has been deleted by its author
I use lots of technology compatible with IPv6. I just use NAT66 (but not NAPT66) to do 1:1 address mapping to allow me to A) have an internal address space that isn't visible to the public and B) handle readdressing on networks that can't afford the outrageous costs of BGP connectivity. Oh, and I don't care if that breaks $application (not that I have found any it has, yet).
Not accepting the shit shoveled my way by the ivory tower types isn't quite the same as not embracing the future. It's anticipating potential problems and architecting around them.
Hey, isn't that what you lot are supposed to be getting paid for too?
Certificates are also about authentication. Sometimes, I may care more about authentication (endpoints and data), than encryption. If certificates are emitted wihout vetting, teh authentication is no longer reliable. You get encryption, nice - but useless if you can't trust the entity certificate.
When news of the initiative broke last November, I asked EFF whether they would be working with CA-Cert who have been dealing with individual and organizational identity verification issues. EFF's Peter Eckersley's response was:
"We aren't working with CA-CERT, but we're partnering with and receiving advice from people who've run a number of other widely-used CAs.
Securely encrypting the Web is sufficiently important that we will be able to raise enough donations and membership contributions to run ISRG with a proper budget."
That's a pity, as the initiative's industry muscle could have ensured a cross signing of the root of a long standing free community CA infrastructure with distributed procedures and processes behind it.
Certificates are not for encryption only... true, I'd like to see every page, every msg, SIGNED forever, with pfs - remember that MITM isn't just for stealing data - can also be used to push modified data.
Unfortunately although the CA/Browser forum are allegedly about to get a bit more useful (less industry captured) by kicking out some sub-CAs, at heart they still support fully state manipulation of data, for seemingly *any* state. . .
summary: *mostly* authenticated
Certificates are only about authentication. If you want encryption without authentication, you can use ADH or other non-authenticated key-exchange schemes.
A CA that doesn't verify the party they're issuing a certificate to is a CA in name only. It's not providing a useful service.
I am announicing the new "Open Driving Licence" scheme.
No one trusts this scheme yet although they will. Honest.
My enrollement and issuance process is simple so it should work out fine (so simple in fact that 'they' - the old duffers in power - do not understand it)..
My scheme is this:
1) Send me a photo and a name, and
2) I send you a driving licence printed in a nice shade of purple on A4 paper.
I can't see why this won't work ? can you ?
.. I could load a blank license PDF up to dropbox and let you download and complete it yourself ?
Is that simpler ? - certainly works for me.
Adopters/Followers = 1
Apparantley the second follower is the most important. Just need one more and we have ourselves a true Open Community Supported Platform (OCSP) driving licence scheme.!
That is assuming what the site is intending to send to you is actually what you get. Almost certainly you are passing through a lot of systems to get from your request to the target site and back. And as recently, unencrypted traffic is then subject to; ad injection, personal profile building, ...
I'd much rather the CPU cost.
"And as recently, unencrypted traffic is then subject to; ad injection, personal profile building, ..."
Oh please. If you're that worried about it delete all your cookies on a regular basis and/or use Tor. In the meantime the worlds data centres currently use 10% of the worlds electricity. I see no good reason for that to rise considerably with all the extra enviromental costs just because of a few paranoids like yourself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
