← Back to context

Comment by indolering

10 hours ago

I mean, I guess the costs are paid for by the domain name fee. But at least it doesn't have to be a charitable activity covered by non-profits. The early HTTPS certs were especially worthless and price-gouging.

5 comments

indolering

Reply
ekr____  10 hours ago

> But at least it doesn't have to be a charitable activity covered by non-profits.

LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/

Anyway, I think there's a reasonable case that it would be better to have the costs distributed the way DNSSEC does, but my point is just that it's not free. Rather, you're moving the costs around. Like I said, it may be cheaper in aggregate, but I think you'd need to make that case.

  • indolering  8 hours ago

    > LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/

    I mean, Mozilla got the ball rolling and it's still run on donations (even if they come from private actors).

    > Like I said, it may be cheaper in aggregate, but I think you'd need to make that case.

    The PKI is already there: we have 7 people who can do a multisig for new root keys. There is a signing ceremony in a secure bunker somewhere that gets live streamed. The HSMs and servers are already paid for. Cert transparency/monitoring is nice but now it's hard-coded to HTTPS instead of being done more generically. There's a lot of duplicated effort.

    • ekr____  7 hours ago

      > > LE isn't primarily funded by non-profits, as you can see from the sponsor list here: https://isrg.org/sponsors/ > > I mean, Mozilla got the ball rolling

      Among others:

        Let’s Encrypt was created through the merging of two simultaneous
  efforts to build a fully automated certificate authority. In 2012, a
  group led by Alex Halderman at the University of Michigan and
  Peter Eckersley at EFF was developing a protocol for automatically
  issuing and renewing certificates. Simultaneously, a team at Mozilla
  led by Josh Aas and Eric Rescorla was working on creating a free
  and automated certificate authority. The groups learned of each
  other’s efforts and joined forces in May 2013.

  ...

  Initially, ISRG was funded almost entirely through large dona-
  tions from technology companies. In late 2014, it secured financial
  commitments from Akamai, Cisco, EFF, and Mozilla, allowing the
  organization to purchase equipment, secure hosting contracts, and
  pay initial staff. Today, ISRG has more diverse funding sources; in
  2018 it received 83% of its funding from corporate sponsors, 14%
  from grants and major gifts, and 3% from individual giving.

      Except for the period before the launch when Mozilla and EFF were paying people's salaries, including mine, it was never really the case that Let's Encrypt was primarily funded by non-profits.

      > and it's still run on donations (even if they come from private actors).

      I agree, but I think it's important to be precise about what's happening here, and like I said, it's never been the case that LE was really funded by non-profits.

      > > Like I said, it may be cheaper in aggregate, but I think you'd need to make that case. > > The PKI is already there: we have 7 people who can do a multisig for new root keys. There is a signing ceremony in a secure bunker somewhere that gets live streamed. The HSMs and servers are already paid for. Cert transparency/monitoring is nice but now it's hard-coded to HTTPS instead of being done more generically. There's a lot of duplicated effort.

      I think this is a category error. The main operational cost for DNSSEC is not really the root, which is comparatively low load, but rather the distributed operations for every registry/registrar, and server to register keys, sign domains, etc.

      One way to think about this is that running a TLD with DNSSEC is conceptually similar to operating a CA in that you have to take in everyone's keys and sign them. It's true you don't need to validate their domains, but that's not the expensive part. Operating this machinery isn't free, especially when you have to handle exceptional cases like people who screw up their domains and need manual help to recover. Now, it's possible that it's a marginal incremental cost, but I doubt it's zero. Upthread, you suggested that people are already paying for this in their domain registrations, but that just means that the TLD operator is going to have to absorb the incremental cost.

      2 replies →