A couple things here, starting from the last point. Ten years ago we were told that “reputational risk” would restrain the finance sector … I would hope we have learned the appropriate lesson from the financial crisis…

Now to the main points: A breach of one CA would not effect the customers of the others. By making SSL certs free in an automated fashion, sites for small businesses gravitate to Let’s Encrypt. Of course the threat actor would see the downfall of the CA as a trophy. That’s not the point; it’s the manner in which free and automated have an unintended consequence: the enlarging of a threat surface.

As for motivation, apologies for the cynicism, it’s just I have been around big companies long enough to know that a group of them collaborate well until something goes wrong. When that happens the one thing which is remarkably absent is the willingness to own their mistakes. If Let’s Encrypt’s KMS were compromised I can flat out guarantee you the finger pointing would begin immediately.

You are certainly right, though, about privately owned or publicly traded CAs. Their interest is profits for their shareholders. The security interest of the Internet community coincides with the profit interest of private-sector CAs. Again, because encryption depends entirely on the integrity of the KMS, the market for encryption is better served by a fragmentation of privately held CAs.

This is not a case where “two guys in a bedroom” threw something against the wall to see if it would stick. It is a case where a group of techies are looking at something (Internet security) all from the same perspective, seeing it the same way, and thus are mired in group-think without even realizing it.

Written by

I am a charter member of the pocket-protector set, but old enough to make fun of them and otherwise have a healthy skepticism of tech. https://goo.gl/2z5Snr

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store