Comment by ZeroConcerns

Comment by ZeroConcerns a day ago

13 replies

View on Hacker News

Effectively single-vendor. I'm not aware of any ACME-compatible CAs that don't have pernicious limits on their free plans (and if there are, I'd love to hear!), and here in the EU we've even recently lost a rather big player...

arccy a day ago

Google Trust Services: https://pki.goog/

Reply View 1 reply
  • rainsford 13 hours ago

    I'm glad there are free alternatives to Let's Encrypt, but a major PKI provider also being by far the largest browser provider feels like a disaster waiting to happen. The check on PKI providers doing the right thing is browsers including them (or not) in their trust stores. Having both sides of that equation being significantly controlled by the same entity fundamentally breaks the trust model of WebPKI. I'm sure Google has the best of intentions, but I don't see how that's in any way a workable approach to PKI security.

    Reply View 0 replies
dmurray a day ago

"multiple vendors, but only one of them is nice enough to give the product away for free" is not "effectively single-vendor".

The other CAs aren't prohibitively priced for anyone who has a business need for lots of certificates, in case Let's Encrypt disappears or goes rogue.

Reply View 4 replies
  • ZeroConcerns a day ago

    > other CAs aren't prohibitively priced

    Not if you look at the per-cert pricing, but if you factor in the cost of "dealing with incompetent sales" and "convincing accounting to keep the contract going", they absolutely are.

    Reply View 3 replies
    • toast0 a day ago

      When I was working with Digicert a decade ago, it was expensive, but they also had knowledgable support and with a wildcard cert, they would issue all sorts of 'custom duplicates' by request that were super handy. No incompetent sales, but certainly you do need to make sure accounting will pay.

      Reply View 1 reply
      • shizcakes 8 hours ago

        Unfortunately DigiCert has gone way downhill.

        We pulled all of our business after they failed to renew a cert with 30d(!!!) notice and got themselves stuck in a loop of useless org re-validations.

        They were completely unresponsive and wasted dozens of hours of our time trying to rectify the situation before we pulled the plug and switched everything to ACME. I still can’t believe we wasted so much time and money with them.

        Reply View 0 replies
    • pmontra a day ago

      It's not only the sellers of the other party. You have to work with the buyers of your company too. Stuff that costs no money and needs no contracts move faster than stuff that must be negotiated, agreed upon, paid for.

      Reply View 0 replies
arp242 a day ago

Doesn't ZeroSSL do this? acme.sh has been using it as the default for the last few years. As I understand it, it basically offers the same as Let's Encrypt.

Reply View 4 replies
  • ZeroConcerns a day ago

    https://zerossl.com/pricing/ suggests a 3-cert limit on the free tier, as well as a huge influx of expected spam...

    Reply View 3 replies
    • electroly a day ago

      The "ACME Certificates" are free and unlimited. The 3 free "ZeroSSL Certificates" are old-fashioned manual certs: this is a strictly more generous offering than Let's Encrypt!

      > If you have a server or other device that requires automatic issuance of certificates and supports the ACME protocol, you can use our free 90-day ACME certificates on all plans.

      Reply View 0 replies
    • kemotep a day ago

      I believe that is 3 hosts not total certs.

      Zerossl is integrated with Caddy by default and there’s no indication from Caddy that you would only be able to renew the cert twice before needing to cough up some money.

      Reply View 0 replies