Hacker News new | past | comments | ask | show | jobs | submit login

From what I gather, Let's Encrypt meets the guidelines to be considered acceptable, but is not really mentioned anywhere, neither in the linked page nor on https.cio.giv - is there any feeling one way or the other on the use of Let's Encrypt for .gov?

Certainly one of the biggest headaches of the classic approach is forgetting to renew your certificate on time, a situation which Let's Encrypt effectively avoids.




Let's Encrypt isn't specifically mentioned in the post, though the post hits the underlying point:

> GSA provides extensive guidance to agencies on HTTPS deployment at https.cio.gov, and encourages .gov domain owners to obtain low cost or free certificates, trusted by the general public. As a general matter, more expensive certificates do not offer more security value to service owners, and automatic deployment of free certificates can significantly improve service owners’ security posture.

This is also repeated here:

https://https.cio.gov/certificates/#what-kind-of-certificate...

Two GSA programs automate Let's Encrypt to deploy certificates on demand:

* https://www.digitalgov.gov/2016/09/07/lets-encrypt-those-cna...

* https://cloud.gov/docs/apps/custom-domains/#managed-service-...

There's also a USG amendment to the Let's Encrypt Terms of Service that GSA negotiated with them to make it easier for agencies to use it:

https://letsencrypt.org/documents/LE-US-State-Local-SA-Amend...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: