Let’s Encrypt

Today we announced a project that I’ve been working on for a while now – Let’s Encrypt. This is a new Certificate Authority (CA) that is intended to be free, fully automated, and transparent. We want to help make the dream of TLS everywhere a reality. See the official announcement blog post I wrote for more information.

Eric Rescorla and I decided to try to make this happen during the summer of 2012. We were trying to figure out how to increase SSL/TLS deployment, and felt that an innovative new CA would likely be the best way to do so. Mozilla agreed to help us out as our first major sponsor, and by May of 2013 we had incorporated Internet Security Research Group (ISRG). By September 2013 we had merged a similar project started by EFF and researchers from the University of Michigan into ISRG, and submitted our 501(c)(3) application. Since then we’ve put a lot of work into ISRG’s governance, found the right sponsors, and put together the plans for our CA, Let’s Encrypt.

I’ll be serving as ISRG’s Executive Director while we search for more permanent leadership. During this time I’ll remain with Mozilla.

Too many people to thank for their help here, many of whom work for our sponsors, but I want to call out Eric Rescorla (Mozilla) and Kevin Dick (Right Side Capital Management) in particular. Eric was my original co-conspirator, and Kevin has spent innumerable hours with me helping to create partnerships and the necessary legal infrastructure for ISRG. Both are incredible at what they do, and I’ve learned a lot from working with them.

Now it’s time to finish building the CA – lots of software to write, hardware to install, and auditing to complete. If you have relevant skills, we hope you’ll join us.

6 thoughts on “Let’s Encrypt

  1. I like the idea of verifying that I can place a file on my web-site, but surely this would all be best bootstrapped using DNSSEC/DANE (RFC 6698)?

    You could require that the TLSA DNS record contains a public key hash, use that for your initial bootstrap trust stages.

  2. Is the plan to offer encryption only certs (i.e. not validation)? Or are the certs going to be validated also? As an end user, is there any way to differentiate between the legit paypal.com cert, and one provided by LE?

    • The intention here is to try to make sure that only the person who has registered the paypal.com DNS address can get a certificate for paypal.com.

  3. This sounds pretty awesome. As far as I can tell, though, it can’t handle localhost/intranet applications — is that right? And the cert issuance isn’t done in a distributed way? (i.e. meaning a single point of attack for a government/whoever.)

    All the same, this resolves a whole host of current problems.

  4. Just a suggestion…the Let’s Encrypt project has a message “We’re unable to accept individual donations at this time…”. Why not put a Bitcoin address on the site? It would take very little effort to do so, and I would donate some BTC to the effort if I could. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s