Comment by organsnyder

I think that plenty of site admins will be happy to run this software agent—remember, there are many site admins right now that aren't even bothered to set up TLS at all.

I run plenty of tools right now on production boxes that I personally haven't fully audited—we all do. This tool should be simple and widely used enough that it will be trustworthy.

For the cautious, it would be nice if the tool offered a mode that could be run as a normal user, even on a different machine. It'd have to be an interactive process:

1. "Enter domain to be signed." 2. "To validate ownership of the domain, create a TXT record on xxx.example.domain with 'na8sdnajsdnfkasdkey' as the value." 3. "Domain ownership has been validated. Please paste the CSR." 4. "The zone has been signed. Here is your certificate:"

Much less convenient (basically the same as the process with current CAs), but it would allow security-conscious admins to use the CA in a way that is comfortable for them. Since the tool is open source, it should be fairly easy for someone to write their own tool that speaks to the CA while providing this interactive process.

The tool is interesting and to be honest, I'll be comfortable using it (I'm not running anything high-profile or sensitive). However, the real news here is the new CA—the tool is merely a convenience.