-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224
Timothy Pearson wrote:
LetsEncrypt does not appear to be secure enough
as it
effectively requires automated certificate installation on the
master servers, and furthermore I expect it to be removed from
as a fully trusted root CA or at least demoted in some way in the
future [3].
I'd suggest a little more research while paying attention to the
originating source material (CA's who are losing money). At least one
of the FUD sources in your link has been responded to:
https://unmitigatedrisk.com/?p=552.
What I personally don't care for from Lets Encrypt is the short expiry
time effectively requiring automated install. Whenever you have automated
install from a third party onto a local machine this is generally an
opening for security problems at some point down the line -- I have yet to
see a system without a human in the loop where this has not happened.
If Let's Encrypt wasn't pushing their own tools in lieu of the relatively
standard methods for setting up SSL encryption, and provided a more
reasonable expiry time, they would be far more attractive. As it stands,
one could easily run into a worst case scenario with nearly expired certs
that Lets Encrypt refuses to or cannot renew, and that's a risk that is
very hard to accept.
Finally, while not directly applicable to TDE, Lets Encrypt still does not
support wildcard certificates. This would make e.g. logins to QuickBuild
impossible without significant technical changes, sucking time away from
TDE itself onto the tools required to control modern cloud services.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iFYEARELAAYFAlimhfsACgkQLaxZSoRZrGEvnwDgsvsuXtk8N9v9TOexfrBGDuRr
RhQhD3gKIEPPPwDfXz/PYymsCBVVTFo5dzKqZm8TDpmLbRI2YqJ5tg==
=Z/W8
-----END PGP SIGNATURE-----