An Automated CA
An Automated CA
9 2
letsencrypt-overview
A presentation about Let's EncryptOn Github bifurcation / letsencrypt-overview
What problem are we trying to solve?
- Not enough HTTPS on the Internet
- These numbers should be 100%
Security is important...
- Confidentiality: Prevent spying on what you're doing.
- Privacy: Prevent injected tracking cookies
- Integrity: Prevent injected advertising
- Authenticity: Ensure you're talking to the real site and not part of a DDoS
... but getting a certificate is hard
- Manual process, different for every provider
- First you have to apply for the certificate...
- ... then you have to figure out how to install it
- Can't we just automate all of this?
A new certificate authority
- Free
- Automated
- Transparent
- Open
- Cooperative
An Automated CA
- Most of the work in issuing a certificate is in verifying domain control
- Let's Encrypt uses a standard protocol to verify domain control automatically
Automated Certificate Management Environment (ACME)
- Suppose someone asks for a certificate for example.com
- How do you know they actually own example.com?
Domain Validation
Give them a challenge that only the domain owner can complete:
- Provision a DNS record for _acme-challenge.example.com
- Provision a file at http://example.com/.well-known/acme-challenge/
- Configure a TLS server on example.com
Automated Validation
- The whole process is laid out in the ACME specification
- How you ask for authorization
- How you fulfill challenges
- How you ask for certificates
- Having a standard protocol means that you can build tools
- The vision is for ACME to be built into web servers, to auto-configure HTTPS
A Transparent CA
All certificates are publicly logged through the Certificate Transparency system
An Open CA
Everything Let's Encrypt uses is open-source:
- The software that runs the certificate authority
- The software you can use to get a certificate
- Even this presentation!
Pull requests welcome!
A Cooperative CA
- The ACME protocol used by Let's Encrypt is being standardized by the IETF so that it can be used by all CAs
- Help for users is provided by an open community support system
Only the beginning...
- Let's Encrypt is currently trusted as a subordinate to an existing CA
- They have applied to be trusted by the browsers
- You can see a real cert at the demo site
- ... or sign up for the beta program
- General availability scheduled for late 2015