After much work in background and previous update covered here at soylentnews, the guys over at Let's Encrypt have finally given a launch schedule:
Let’s Encrypt has reached a point where we’re ready to announce our launch schedule.
- First certificate: Week of July 27, 2015
- General availability: Week of September 14, 2015
While this is a bit off from the original mid-2015 launch date, it's a great start towards encrypted web communications.
Original Submission
Related Stories
Let's Encrypt has announced the generation of root and intermediate certificates, share the public keys, and show the layout of their operational structure. The keys are RSA (the Rivest, Shamir, and Adleman algorithm) for now with ECDSA (Elliptic Curve Digital Signature Algorithm) versions coming later this year.
The root certificates are for the Internet Security Research Group (ISRG) and separately for the Online Certificate Status Protocol (OCSP) for the ISRG. OCSP is described in RFC 6960 and used for revocation of certificates.
The intermediate certificates are for two different intermediate Let's Encrypt CA (Certificate Authority) servers named/numbered X1 and X2. These are cross-signed by the IdenTrust root CA for ease of deployment and use by existing browsers without the need for any modifications until the browsers add the ISRG root CA through updates. The Let's Encrypt intermediate CA X2 is only intended for disaster recovery in case of a non-functional X1. The Let's Encrypt announcement has a schematic of the structure.
The target is (or was) to launch the Let's Encrypt service in the second quarter of 2015 (which ends this month) and they plan on further announcements during the next few weeks.
Original Submission
Josh Aas of The Internet Security Research Group reported on September 14:
Let's Encrypt passed another major milestone by issuing our first certificate. You can see it in action here
Our cross signature is not yet in place, however this certificate is fully functional for clients with the ISRG root in their trust store. When we are cross signed, approximately a month from now, our certificates will work just about anywhere while our root propagates. We submitted initial applications to the root programs for Mozilla, Google, Microsoft, and Apple today.
We're thrilled to finally be a live [certificate authority]. We'll be working towards general availability over the next couple of months by issuing certificates to domains participating in our beta program. You can request that your domain be included in our beta program by clicking here.
If you want to get involved with Let's Encrypt, please visit this page.
See our prior coverage: EFF Offers Free Certificate Authority to Dramatically Increase Encrypted Internet Traffic, The "Let's Encrypt" Project Generates Root and Intermediate Certificates, and "Let's Encrypt" gets a Launch Schedule.
(Score: 5, Insightful) by bradley13 on Thursday June 18 2015, @11:19AM
More encryption - good.
Dead simple installation procedure - excellent.
No more paying ridiculous fees to CAs who do nothing to earn them - icing on the cake.
Everyone is somebody else's weirdo.
(Score: 2) by mtrycz on Thursday June 18 2015, @11:37AM
Love it.
In capitalist America, ads view YOU!
(Score: 5, Insightful) by c0lo on Thursday June 18 2015, @11:50AM
Still a centralized authority to govern your use of encryption? (authority governed by the laws of US and subject to FISA courts?)
A style of encryption which doesn't protect your anonymity (even if it protects your messages)?
Not saying this is not a progress, but surely we should be able to do better.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by bradley13 on Thursday June 18 2015, @01:04PM
Yes, certainly, the whole system needs overhauled. A CA should only have the authority to issue a limited set of certificates. Self-signed certs should not be treated like they have leprosy. Etc, etc. Certificate pinning should be semi-automatic, so that you get a warning if a cert changes unexpectedly. And so on...
However, as you say, this is one step in the right direction. Hopefully, others will follow.
Everyone is somebody else's weirdo.
(Score: 2) by ticho on Thursday June 18 2015, @01:08PM
I'm not sure they will. From what I read around the Internet, too many people are looking forward to this service as to an ultimate panacea that will make unicorns and rainbows. My guess is that people will get placated by it for a while, and maybe only after a while, something more starts happening.
(Score: 2) by gnuman on Thursday June 18 2015, @04:25PM
Did IT embrace IPSec? No. Then they have problems with internal security.
Did IT embrace DNSSEC? No again! Then they complain that "CA" model is too centralized, but they completely ignored TLS-DANE, which 100% depends on DNSSEC.
What IT embraces is lazy, and then bitching that something is not perfect enough.
Let's Encrypt is just an attempt to take out the bread-and-butter of CA cartel, the domain-control certificates. Sure, there is at least one CA that issued free domain control certs, but only 1 per domain, and revocation is not possible without a fee (StartSSL out of Israel). Fortunately, Let's Encrypt maybe lazy enough for most IT to implement. Then again, I don't expect majority of current TLS cert users to switch to Let's Encrypt.
(Score: 2) by NCommander on Friday June 19 2015, @12:10AM
At least for websites, HTTP Public Key Pinning mitigates most of the issue. The CA becomes responsible for securing the first connection, and after that, only the key set by the pins will be accepted.
Still always moving
(Score: 2) by Thexalon on Thursday June 18 2015, @03:22PM
That to me is the best part of the whole deal - sure, the technology is good, but basic certificate installation wasn't all that hard before, the hard part was shelling out cold hard cash to a useless middleman for no good reason.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by bryan on Thursday June 18 2015, @04:49PM
I still don't understand why they couldn't allocate certificates like every other CA. Their model apparently involves an always-running background daemon that constantly phones home and rewrites your webserver configuration file as it pleases.
What was so wrong about generating a certificate signing request (CSR) on your server and then getting a simple certificate (CRT) from your CA? StartSSL [startssl.com] will give you a free certificate today without having to run a proprietary background process.
(Score: 2) by No Respect on Thursday June 18 2015, @06:59PM
I'm unclear on this point as well. Get me a certificate I can put in a local store on a local machine and get out of the way, please. Run some background process forever for :reasons:? No thanks. I will decline for that reason alone.
(Score: 2) by tempest on Thursday June 18 2015, @07:10PM
You don't have to run a daemon to interact with ACME. Provided your certificate is still valid for the period, at any given time you can periodically do a refresh yourself. Personally I'm planning on using a shell script with wget to do it. I may possibly make a more sturdy perl script in the future, but that doesn't seem necessary as the spec is now (although probably not especially fault tolerant).
(Score: 2) by stormreaver on Thursday June 18 2015, @07:30PM
I still don't understand why they couldn't allocate certificates like every other CA.
They can and will (your part can be manual, while LE's part is always automated).
While Let's Encrypt is heavily promoting its automation, that's really a tiny, tiny part of what makes it exciting. By far, the HUGE win is having a conglomerate of influential names participate in issuing free certs. The biggest problem with encryption certificates isn't the installation or update process, but the cost of having a certificate that doesn't invoke the untrusted certificate warning in the browser.
That's why I intend to be an early adopter. I plan to request my certificates on release day.
(Score: 2) by NCommander on Thursday June 18 2015, @11:17PM
StartSSL certificates specifically prohibit use by commercial entities, and have other limitations on what their certificates can be used for. Else we would be using them here on SN.
Still always moving