undefined

points

[-]

I mean, I guess the costs are paid for by the domain name fee. But at least it doesn't have to be a charitable activity covered by non-profits. The early HTTPS certs were especially worthless and price-gouging.

by ekr____2 hours ago|

parent|

[-]

> But at least it doesn't have to be a charitable activity covered by non-profits.

LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/

Anyway, I think there's a reasonable case that it would be better to have the costs distributed the way DNSSEC does, but my point is just that it's not free. Rather, you're moving the costs around. Like I said, it may be cheaper in aggregate, but I think you'd need to make that case.

by indolering5 minutes ago|

parent|

[-]

> LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/

I mean, Mozilla got the ball rolling and it's still run on donations (even if they come from private actors).

> Like I said, it may be cheaper in aggregate, but I think you'd need to make that case.

The PKI is already there: we have 7 people who can do a multisig for new root keys. There is a signing ceremony in a secure bunker somewhere that gets live streamed. The HSMs and servers are already paid for. Cert transparency/monitoring is nice but now it's hard-coded to HTTPS instead of being done more generically. There's a lot of duplicated effort.