Wow. has issued 62% of all active SSL certs in the wild. That’s awesome…but also worrisome? We obviously want all CAs to meet a high quality bar, but if any ecosystem needs healthy diversity, it's this one, right?
Conversation
Logically I agree with you 100% but emotionally I'm still angry about the cert ecosystem crappiness pre-ACME so I'm going to delay my fear and logic for a few years and let LE enjoy their dominance. It's a nice change.
1
18
I don't really see the benefit of diversity when each CA is fully trusted for every domain. A bit of redundancy in case one goes down, but untrusting them isn't a realistic option. What we really need is removing these unnecessary additional trusted parties from the picture.
DV certificates are based on validating domain control. It ultimately depends on the security of DNS but also adds insecure SMTP/HTTP authentication to the table. It'd be better not to have any of this at all and simply use TLSA records directly. Doesn't add new trusted parties.
1
The only value WebPKI has to offer is Certificate Transparency and that can be implemented for DNSSEC and DANE. Beyond that, they're just an enormous amount of additional trusted parties for each domain doing insecure authentication of domain. Let's Encrypt is harm reduction.