I have nurtured the secret belief that the reason that Letsencrypt renews certificates ("automatically") every three months is not a feature... but a forced limitation by the guys who own the root cert chain.
If I'm a startup, why should I shirk away from paying 9.99 for a RapidSSL certificate from namecheap and have it working reliably through Ansible/Puppet/Docker... and rather muck about with the chance that my server SSL cert may go down because my letsencrypt client was outdated or something.
Or worse, I have a wordpress site running on a PHP host - the best case scenario is that they agree to use a certificate I buy. Running a python based client ?
The LetsEncrypt root is in-house, not third party. Certificates are also cross-signed by IdenTrust, but once the LetsEncrypt root is in all major browsers, it won't be necessary to have a cross-signature.
That's not to say that they don't have some other motive for the 90 day expiry, but I don't think they need the support of major CAs for what they're doing at the moment.
I meant the cross signing. That is the big deal here. And I somehow have this nagging feeling that they were strong armed into the 3 month renewal policy. No other reason to not have yearly renewals.
Even if they do get into Browser roots now, there are hundreds of millions of mobile devices out there that will not accept Letsencrypt without a cross sign. Lets face it Letsencrypt is dead in the water without Identrust (or someone similar).
As mentioned in the other threads, 3 month renewal provides a smaller risk window for compromised domains/certificates.
This is important, considering that certificate revocation is not a universally solved problem, and that Let's Encrypt is aiming to radically increase the amount of certificate issues as a whole.
No strongarming necessary, I'm pretty sure technical considerations ruled the day here.
ACMs roots are cross-signed by Starfield (GoDaddy iirc), while they wait for their inclusion in the browser roots... so I can't see a difference with LetsEncrypt? AFAIK either you have the processes/tech in place to secure your CA and issue certificates, or you don't.
https://mozillacaprogram.secure.force.com/CA/PendingCACertif... shows Mozilla's in-progress certifications -- including LetsEncrypt, Amazon, DocuSign, VISA, a bunch of governments, telcos, existing CAs, and others I don't recognise. Cross-signing is a pragmatic solution for older client devices (eg. abandonware Android phones) for _any_ CA root, new or otherwise.
If I'm a startup, why should I shirk away from paying 9.99 for a RapidSSL certificate from namecheap and have it working reliably through Ansible/Puppet/Docker... and rather muck about with the chance that my server SSL cert may go down because my letsencrypt client was outdated or something.
Or worse, I have a wordpress site running on a PHP host - the best case scenario is that they agree to use a certificate I buy. Running a python based client ?