Digital certificates that signs software packages are used to enforce exclusion by some manufacturers. Let's encrypt is not in that space to my knowledge, but it is a place where you the owner do not have the right to determine which certificate authority should be trusted, and generally the only one that is trusted is the manufacturer. Its arguable if we even should be calling such entities a certificate authority, even if they technically are the owner of the root certificate that signs the package.
Russian government issued their new root certificate years ago.
Nobody trusted it enough to request a certificate from them or install it on their computers. Including almost all of the russian residents.
If Let's Encrypt enforces the rules, as written in pdf, a lot of people would lose a choice.
Frankly, even publishing a statement like that would make the scales of trust tip for some.
Maybe we should have solve the ISP snooping problem by making that illegal instead.
With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.
With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)
Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.
> With DANE (or other country-issued certificates)
DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.
And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.
If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?
[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...
I didn’t realize the slapped their face on the pavement right after being acquired.
Note that phones already try to prevent you from using a certificate that you provide yourself.
I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.