Morganite Wrote:If your browser likes the rpg.net forums, then it already likes letsencrypt.org certificates. And it probably does.
-Morgan, thinks all signs point to them *being* a trusted authority.
rpg.net issues SSL/TLS certificates? (That seems rather outside of their core competency.) If they don't, then that isn't the sort of "authority" I'm talking about.
I did a bit more investigation of Let's Encrypt - including looking on Wikipedia.
Yeah, they've been around for a few months. (They came out of beta after the last time I visited rpg.net, though.) TLS only, which isn't a big deal considering how broken most versions of SSL are. They issue domain-validated certificates only - that might or might not be an issue.
Oh! Here's a red flag: "Let's Encrypt issues certificates valid for 90 days. Their reason is that these certificates "limit damage from key compromise and mis-issuance" and encourage automation." The first reason doesn't hold water - certificate revocation is a thing. The second reason ... sounds like a lazy authority to me. How serious are these people about providing service?
Bob, do you want to have to renew the site's certificate every three months, even if it is free?--
Rob Kelk
"Governments have no right to question the loyalty of those who oppose
them. Adversaries remain citizens of the same state, common subjects of
the same sovereign, servants of the same law."
- Michael Ignatieff, addressing Stanford University in 2012