Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

LetsEncrypt is not the only ACME provider, and there are hundreds of regular CAs. Nothing about TLS certificates is centralized, there's just market concentration as a result of good UI/UX by LetsEncrypt, but there are open-source ACME implementations available, the protocol itself is in the process of being standardized and nothing keeps other CAs from running the same service, and in fact many are planning to do just that.


>Nothing about TLS certificates is centralized

You're right that there are additional ACME providiers, but the reliance on just a handful of default root cert stores is what makes HTTPS centralized, even if TLS isn't.


Most big apps bundle their own certificates/certificate authorities for cert pinning already. They can switch to their own CA system any time.

Sadly, DANE has failed because DNSSEC has failed on the American market. Hopefully we'll find an alternative for these protocols in the future.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: