upvote

points

by indolering3 hours ago |
comments
upvoteby ekr____2 hours ago|
next
[-]
It's not really free, though. Rather, the costs are distributed rather than centralized, but running DNSSEC and keeping it working incurs new operational costs for the domain holders, who need to manage keys and DNSSEC signing, etc. And of course there are additional marginal costs to the registrars of managing customer DNSSEC, both building automation and providing customer service when it fails.

It's of course possible that the total numbers are lower than the costs of the WebPKI -- I haven't run them -- but I don't think free is the right word.

reply
upvoteby indolering2 hours ago|
parent|
[-]
I mean, I guess the costs are paid for by the domain name fee. But at least it doesn't have to be a charitable activity covered by non-profits. The early HTTPS certs were especially worthless and price-gouging.
reply
upvoteby ekr____2 hours ago|
parent|
[-]
> But at least it doesn't have to be a charitable activity covered by non-profits.

LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/

Anyway, I think there's a reasonable case that it would be better to have the costs distributed the way DNSSEC does, but my point is just that it's not free. Rather, you're moving the costs around. Like I said, it may be cheaper in aggregate, but I think you'd need to make that case.

reply
upvoteby indolering8 minutes ago|
parent|
[-]
> LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/

I mean, Mozilla got the ball rolling and it's still run on donations (even if they come from private actors).

> Like I said, it may be cheaper in aggregate, but I think you'd need to make that case.

The PKI is already there: we have 7 people who can do a multisig for new root keys. There is a signing ceremony in a secure bunker somewhere that gets live streamed. The HSMs and servers are already paid for. Cert transparency/monitoring is nice but now it's hard-coded to HTTPS instead of being done more generically. There's a lot of duplicated effort.

reply
upvoteby tptacek2 hours ago|
prev|
[-]
Yes, the whole point of LetsEncrypt was to prevent that from happening again, and it now dominates the market.
reply