Comment by pde3
11 years ago
This is just a pre-announcement to let folks (OSes, hosting providers, other platforms) plan and do integration work. Per our own warnings, we definitely don't want this running on production machines until it launches in 2015.
Our Apache code is a developer preview, we'll be working on Nginx next.
ISRG will be operating a new root CA for this project. Although if you think that your choice of CA makes you more or less secure, you may not have understood how PKIX works -- you can buy a cert from whichever CA you like, but your adversary can always pick the weakest one to try to impersonate you.
> ISRG will be operating a new root CA for this project.
Are you going to be cross-signed by IdenTrust or something? If you're really going to try and create a new root CA from scratch, surely you will be impaled on the spike of low coverage for many years?
That's quite a painful spike indeed, but fortunately we'll be cross-signed by IdenTrust.
"ISRG will be operating a new root CA for this project."
Does that mean every client/browser will need to be updated to include the new CA? Or will it somehow be signed by other (competing) CAs?
I like the idea of this project, and I think it's a great thing for the Internet - I just worry that it will take a long time for it to be usable in practice.
No, it will be cross-signed and provide the chain so that it will work immediately in all mainstream browsers.
That's good to hear. Thanks!