Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Wednesday June 10 2015, @01:59AM   Printer-friendly
from the safety-in-numbers dept.

Let's Encrypt has announced the generation of root and intermediate certificates, share the public keys, and show the layout of their operational structure. The keys are RSA (the Rivest, Shamir, and Adleman algorithm) for now with ECDSA (Elliptic Curve Digital Signature Algorithm) versions coming later this year.

The root certificates are for the Internet Security Research Group (ISRG) and separately for the Online Certificate Status Protocol (OCSP) for the ISRG. OCSP is described in RFC 6960 and used for revocation of certificates.

The intermediate certificates are for two different intermediate Let's Encrypt CA (Certificate Authority) servers named/numbered X1 and X2. These are cross-signed by the IdenTrust root CA for ease of deployment and use by existing browsers without the need for any modifications until the browsers add the ISRG root CA through updates. The Let's Encrypt intermediate CA X2 is only intended for disaster recovery in case of a non-functional X1. The Let's Encrypt announcement has a schematic of the structure.

The target is (or was) to launch the Let's Encrypt service in the second quarter of 2015 (which ends this month) and they plan on further announcements during the next few weeks.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday June 10 2015, @03:52AM

    by Anonymous Coward on Wednesday June 10 2015, @03:52AM (#194362)

    To add to this, being someone who is hardware rather than software educated, how does this help the average internet user?

  • (Score: 2) by dyingtolive on Wednesday June 10 2015, @05:21AM

    by dyingtolive (952) on Wednesday June 10 2015, @05:21AM (#194388)

    By my bleary, past my bedtime comprehension: In theory, it would remove the cost of entry barrier for https connections. To the end user, it could make it so that it doesn't pop up scary warnings about self-signed certs on your browser/mail client. As such, you could also literally encrypt "the web".

    --
    Don't blame me, I voted for moose wang!
  • (Score: 0) by Anonymous Coward on Wednesday June 10 2015, @07:32AM

    by Anonymous Coward on Wednesday June 10 2015, @07:32AM (#194428)

    Mozilla (developers of Firefox) has decided that everybody must use HTTPS, although the security underlying HTTPS is broken by design (any CA can create a certificate for any domain, so all e.g. the NSA needs to do is create their own certificate for your domain to MITM any connection to your server).

    The only point in HTTPS is to extract money for certificates. But Firefox is supposed to for the free and open web, so they can't be seen doing that. This project is simply to give you certificates for free, so you can keep running your server after Firefox starts demanding HTTPS.

    That this makes the whole HTTPS only thing a pointless exercise seems to have gone right over their heads. The only possible explanation I can see is that corporations likely won't be using these free certificates, so when they are forced from HTTP to HTTPS (not every corporation is a web shop), they will be paying for authentic Verisign certificates.