Timothy Pearson wrote:
LetsEncrypt does not appear to be secure enough as it effectively requires automated certificate installation on the master servers, and furthermore I expect it to be removed from as a fully trusted root CA or at least demoted in some way in the future [3].
I'd suggest a little more research while paying attention to the originating source material (CA's who are losing money). At least one of the FUD sources in your link has been responded to: https://unmitigatedrisk.com/?p=552.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224
Timothy Pearson wrote:
LetsEncrypt does not appear to be secure enough as it effectively requires automated certificate installation on the master servers, and furthermore I expect it to be removed from as a fully trusted root CA or at least demoted in some way in the future [3].
I'd suggest a little more research while paying attention to the originating source material (CA's who are losing money). At least one of the FUD sources in your link has been responded to: https://unmitigatedrisk.com/?p=552.
What I personally don't care for from Lets Encrypt is the short expiry time effectively requiring automated install. Whenever you have automated install from a third party onto a local machine this is generally an opening for security problems at some point down the line -- I have yet to see a system without a human in the loop where this has not happened.
If Let's Encrypt wasn't pushing their own tools in lieu of the relatively standard methods for setting up SSL encryption, and provided a more reasonable expiry time, they would be far more attractive. As it stands, one could easily run into a worst case scenario with nearly expired certs that Lets Encrypt refuses to or cannot renew, and that's a risk that is very hard to accept.
Finally, while not directly applicable to TDE, Lets Encrypt still does not support wildcard certificates. This would make e.g. logins to QuickBuild impossible without significant technical changes, sucking time away from TDE itself onto the tools required to control modern cloud services.
On 17/02/2017 05:11, Timothy Pearson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224
Timothy Pearson wrote:
LetsEncrypt does not appear to be secure enough as it effectively requires automated certificate installation on the master servers, and furthermore I expect it to be removed from as a fully trusted root CA or at least demoted in some way in the future [3].
I'd suggest a little more research while paying attention to the originating source material (CA's who are losing money). At least one of the FUD sources in your link has been responded to: https://unmitigatedrisk.com/?p=552.
What I personally don't care for from Lets Encrypt is the short expiry time effectively requiring automated install. Whenever you have automated install from a third party onto a local machine this is generally an opening for security problems at some point down the line -- I have yet to see a system without a human in the loop where this has not happened.
If Let's Encrypt wasn't pushing their own tools in lieu of the relatively standard methods for setting up SSL encryption, and provided a more reasonable expiry time, they would be far more attractive. As it stands, one could easily run into a worst case scenario with nearly expired certs that Lets Encrypt refuses to or cannot renew, and that's a risk that is very hard to accept.
Finally, while not directly applicable to TDE, Lets Encrypt still does not support wildcard certificates. This would make e.g. logins to QuickBuild impossible without significant technical changes, sucking time away from TDE itself onto the tools required to control modern cloud services.
Personally, I think Lets Encrypt is great. It's about time that us smaller guys can get hold of legitimate certs without being ripped off. The short expiry time is no hassle at all, nor is their automation, in fact, I consider it a plus and I can't see how they can be considered to be 'pushing' anything, merely offering options. A cron job to download a certificate, up to a month before it expires, is simple enough and gives plenty of time if there is an unforseen problem.
The third of your links seems to me to be an apologist script for the big CAs (I can almost read their tears) and it wouldn't surprise me if the poster had some association or other with a large CA.
Clearly, it's a matter of your choice, but I for one am well pleased with this simple and free certificate option.
Oh, and thanks again for TDE :)
Cheers, Mike.
-
Dave Lers -
Michael Howard -
Timothy Pearson