Let's Encrypt, A New Free Certificate Authority (Coming Soon)
Bruce Schneier has an interesting post about a new free and open Certificate Authority, called Let's Encrypt. Let's Encrypt is designed to let any web server administrator obtain a server certificate that is recognized by the major browsers at no charge and even more important automatically. Part of the Let's Encrypt model is automating the steps that can prove to the CA that the certificate request is coming from an entity that controls both the server and the domain.
That's huge. Two of the big pains about server certificates is that a) they are expensive and b) obtaining, installing, and renewing them can contain a lot of manual steps. Reducing that friction is a great thing. It would be great if every secure web server had a certificate that was recognized by web browsers and renewed before it expired. This would make certificate-related popup messages so rare that maybe we could convince users to read them and not automatically just say yes.
Let's Encrypt has some high level juice behind it. The current sponsors are Mozilla, Akamai, Cisco, EFF, and IdenTrust. It will be interesting to see what the other big tech companies (some of whom sell certificates) do.
The service is slated to go live in the summer of 2015.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.