Well, again, DNS has been treated as the source of ground truth for many PKI purposes most of the time for years. It's not new to Let's Encrypt in any way. And it's been a requirement in order to achieve this:
And domain registrants and site operators are extremely heterogeneous in ways that could make cert issuance extremely difficult if we made applicants do something new and manual, especially in the offline world.
On the other hand, I've also written skeptical articles about PKI and worried about the fragility of Internet security. Your concerns aren't misplaced, in that a lot of the stuff we rely on is super-fragile.
But in many ways, it's been getting better over time as CAs' power has been getting more and more circumscribed by new rules and technical mechanisms. We have Baseline Requirements amendments that give CAs less discretion in their operations and require more transparency from them. We have CT, we have CAA, we have must-staple, we have databases that researchers can use to find problems. (For a while we also had HPKP.)
So I'd urge you to take your passion about this issue and work on some more security mechanisms to improve the infrastructure, because there's lots more that can be done.
Also, if you come up with good new deployable mechanisms, Ryan Sleevi will be glad to help you make them mandatory for CAs. :-)
While I appreciate your encouragement, I really dislike the trend of everyone using HTTPS. It's wasteful, it's inconvenient, it's unnecessary, it's overly complex, and it doesn't even provide much real security. People still get hacked, corporations still leak data, the governments of the world continue to spy on our digital emissions. But HTTPS gives everyone a nice fuzzy comfy warm blanket of security to wrap themselves around and forget about the pale reality of life on the internet. (My apologies, I've been really into Russian literature lately)
I don't think anybody would want to implement the kinds of technology and solutions I would provide, because every time I bring them up (in forums like this one, and others), people either ignore them or argue against them, and I have no interest in pushing large boulders up hills.
But I would like to thank you for your work. I appreciate that you all are trying to make things better.
> it's inconvenient, it's unnecessary, it's overly complex, and it doesn't even provide much real security. People still get hacked, corporations still leak data, the governments of the world continue to spy on our digital emissions. But HTTPS gives everyone a nice fuzzy comfy warm blanket of security to wrap themselves around and forget about the pale reality of life on the internet.
Yes, it's inconvenient, and people will still get hacked, but it's also getting easier to do, it _does_ help, and as Snowden showed, encryption really does help deter governments from spying.
I think it's currently unfair to https websites that non-https websites aren't considered insecure.
https://letsencrypt.org/stats/#percent-pageloads
And domain registrants and site operators are extremely heterogeneous in ways that could make cert issuance extremely difficult if we made applicants do something new and manual, especially in the offline world.
On the other hand, I've also written skeptical articles about PKI and worried about the fragility of Internet security. Your concerns aren't misplaced, in that a lot of the stuff we rely on is super-fragile.
But in many ways, it's been getting better over time as CAs' power has been getting more and more circumscribed by new rules and technical mechanisms. We have Baseline Requirements amendments that give CAs less discretion in their operations and require more transparency from them. We have CT, we have CAA, we have must-staple, we have databases that researchers can use to find problems. (For a while we also had HPKP.)
So I'd urge you to take your passion about this issue and work on some more security mechanisms to improve the infrastructure, because there's lots more that can be done.
Also, if you come up with good new deployable mechanisms, Ryan Sleevi will be glad to help you make them mandatory for CAs. :-)