(no title)

> inane blather

And this is why it's a good thing that every major browser will make it more and more painful, precisely so that instead of arguments about it, we'll just have people deciding whether they want their sites accessible by others or not.

Unencrypted protocols are being successfully deprecated.

You have some weird definition of "root".

Definition of "root server"

Authoritative DNS nameserver that serves root.zone, e.g., the one provided by ICANN, or maybe a customised one

In own case it is served only to me on local network

Many years ago, one of the former ICANN board members mentioned on his personal blog running his own root

People using the web can choose what software to use. This includes both client software and server software. Arguably the later ultimately determines whether HTTP is still available on the internet, regardless of whether it is used by any particular client software, e.g., a popular browser

One advertising company through its popular "free browser", a Trojan Horse to collect data for its own purposes, may attempt to "deprecate" an internet protocol by using its influence

But at least in theory such advertising companies are not in charge of such protocols, and whether the public, including people who write server software or client software, can use them or not

They're focused on the thing that'll get the most people up and running for the least extra work from them. When you say "push" do you just mean that's the default or are they trying to get you to not use another ACME client like acme.sh or one built in to servers you run anyway or indeed rolling your own?

Like, the default for cars almost everywhere is you buy one made by some car manufacturer like Ford or Toyota or somebody, but usually making your own car is legal, it's just annoyingly difficult and so you don't do that.

I counted by hand, so it might be wrong, but they appear to list and link to 86 different ACME client implementations across more than a dozen languages: https://letsencrypt.org/docs/client-options/

I've used their stuff since it came out and never used certbot, FWIW. If I were to set something up today, I'd probably use https://github.com/dehydrated-io/dehydrated.

There is a plethora of other clients besides certbot or acme.sh.

Let's Encrypt does not write or maintain certbot

Onion websites also don't need TLS (they have their own built-in encryption) so that solves the previous commenter's complaint too. Add in decentralized mesh networking and it might actually be possible to eliminate the dependency on an ISP too.

And an army of volunteers and feds to run relays

What about the Tor directory authorities?

There is no magic do it all yourself. Communicating with people implies dependence.

I gave up trying to build a solar panel.

What about all the third parties running relays and exit nodes?

So what does "CA fixes the problem" look like in your head? Because they'll give you a new certificate right away. You have to install it, but you can automate that, and it's hard to imagine any way they could help that would be better than automation. What else do you want them to do? Asking them to not revoke incorrect or compromised certificates isn't good for maintaining security.

CAs have to follow the baseline rules set by Google and Mozilla regarding incident response timelines. If they gave you more time, the browsers would drop them as a supported CA.