top | item 46262221

(no title)

konfekt | 2 months ago

They may have rendered absurd to not have TLS, but they also rendered certification absurd, in the sense that all you get is little more than encryption: if you care about identity, then the free Let's Encrypt certificate coupled to a domain owner's email address gives you little guarantee. Compare this to the extended validation certificates with personally certified credentials and browsers attesting these by, say, a green address bar (instead of today's flat padlock), that a bank customer expects before entering their login data.

Setting up an encrypted web-domain with continual Let's Encrypt certificate renewal has become tedious cargo-culting around the relicts of the idea of a certificate that establishes trust by identity verification.

The collapse of identity-based certification is not Let’s Encrypt’s fault. People naturally choose the easiest option, and Let’s Encrypt supplied it.

Entrusting a handful of commercial certificate authorities with global identity is dubious on first principles anyway, but at least they tried; yet, for all its flaws, that centralized system has proven more practical than the idealistic, decentralized "web of trust".

discuss

No comments yet.