undefined | Better HN

0 pointsbflesch2mo ago0 comments

Thank you, I missed the part with several "top of the chain" providers. So all of them would need to go down at the same time for things to really stop working.

How many "top of chain" providers is letsencrypt using? Are they a single point of failure in that regard?

I'd imagine that other "top of chain" providers want money for their certificates and that they might have a manual process which is slower than letsencrypt?

0 comments

mholt2mo ago

LE has 2 primary production data centers: https://letsencrypt.status.io/

But in general, one of the points of ACME is to eliminate dependence on a single provider, and prevent vendor lock-in. ACME clients should ideally support multiple ACME CAs.

For example, Caddy defaults to both LE and ZeroSSL. Users can additionally configure other CAs like Google Trust Services.

This document discusses several failure modes to consider: https://github.com/https-dev/docs/blob/master/acme-ops.md#if...

cpach2mo ago

“Are they a single point of failure in that regard?”

It depends. If the ACME client is configured to only use Let’s Encrypt, then the answer is yes. But the client could fall-back to Google’s CA, ZeroSSL, etc. And then there is no single point of failure.

bfleschOP2mo ago

Makes sense. I assume each of them is in control and at the whims of US president?

cpach2mo ago

It seems that currently most free CAs have a big presence in the US, and employ quite a few US employees.

ZeroSSL/HID Global seems to be quite multi-national though, and it’s owned by a Swedish company (Assa Abloy).

I don’t know what what kind of mitigations these orgs have in place if the shit really hits the fan in the US. It’s an interesting question for sure.

1 more reply

alwillis2mo ago

> Makes sense. I assume each of them is in control and at the whims of US president?

Absolutely not.

If the president attempted to force a US-based CA to do something bad they don't want to do, they would sue the government. So far, this administration loses 80% of the lawsuits brought against it.

1 more reply

mholt2mo ago

They are not in control of the US president.

1 more reply

j / k navigate · click thread line to collapse

0 pointsbflesch2mo ago0 comments

Thank you, I missed the part with several "top of the chain" providers. So all of them would need to go down at the same time for things to really stop working.

How many "top of chain" providers is letsencrypt using? Are they a single point of failure in that regard?

I'd imagine that other "top of chain" providers want money for their certificates and that they might have a manual process which is slower than letsencrypt?

0 comments

mholt2mo ago

LE has 2 primary production data centers: https://letsencrypt.status.io/

But in general, one of the points of ACME is to eliminate dependence on a single provider, and prevent vendor lock-in. ACME clients should ideally support multiple ACME CAs.

For example, Caddy defaults to both LE and ZeroSSL. Users can additionally configure other CAs like Google Trust Services.

This document discusses several failure modes to consider: https://github.com/https-dev/docs/blob/master/acme-ops.md#if...

cpach2mo ago

“Are they a single point of failure in that regard?”

bfleschOP2mo ago

Makes sense. I assume each of them is in control and at the whims of US president?

cpach2mo ago

It seems that currently most free CAs have a big presence in the US, and employ quite a few US employees.

ZeroSSL/HID Global seems to be quite multi-national though, and it’s owned by a Swedish company (Assa Abloy).

I don’t know what what kind of mitigations these orgs have in place if the shit really hits the fan in the US. It’s an interesting question for sure.

1 more reply

alwillis2mo ago

> Makes sense. I assume each of them is in control and at the whims of US president?

Absolutely not.

If the president attempted to force a US-based CA to do something bad they don't want to do, they would sue the government. So far, this administration loses 80% of the lawsuits brought against it.

1 more reply

mholt2mo ago

They are not in control of the US president.

1 more reply

j / k navigate · click thread line to collapse