Heads up: I work for a company that speeds up the background checks used for EV.
Tying real world identities to public keys is very much a part of crypto. Windows does it with package signing and EV, Debian does it with people holding up their passports at Linux events, and web sites do it with EV HTTPS.
And yes, we (CertSimple) are looking at Certbot support for EV.
Now back to our previous A+. Thanks for the heads up.
I had been logging in to update but the rate of new, severe openssl vulnerabilities - and the risk of missing one, fairly obviously - is high enough I'd rather just apply them immediately. yum-cron's also now enabled to apply openssl updates as soon as they're issued.
> Heads up: I work for a company that speeds up the background checks used for EV.
How much faster? The one time I've gotten an EV cert it took a couple hours to get verified. Didn't seem too long at all and compared to the time to plan the swap out of the cert in production, the wait was a non issue.
The verification itself was a joke though. It was basically just a phone call asking "Are you X? Ok great! Here's your cert!"
> Tying real world identities to public keys is very much a part of crypto.
Joe User isn't going to look at the details and validation chain of a certificate. The whole idea of the green bar for "more trusted" is a scamola by the cert providers as they saw the writing on the wall for their margins going to zero for domain validated ones (granted they saw it early enough to get traction on it!).
> The verification was basically just a phone call asking "Are you X? Ok great! Here's your cert!"
Congratulations, you have an active registered company that was already well known to qualified third parties. Before that phone call happens, the CA has to verify your existence and status by government records and a qualified third party. There are additional steps for certain company structures. They don't just call you and you get the cert - and people are often rejected.
> Joe User isn't going to look at the details and validation chain of a certificate.
Nobody is expecting users to look at the cert details or verification chain. Just the name in middle of the address bar.
> Tying real world identities to public keys is very much a part of crypto. Windows does it with package signing and EV, Debian does it with people holding up their passports at Linux events, and web sites do it with EV HTTPS.
This would be a legit argument if EV HTTPS actually achieved that goal. They don't, though: the identity verification around EV HTTPS is a joke.
The identity verification is essentially a phone call for most CAs, which verifies nothing. Some CAs do better, but it only takes a few bad apples, and in this case it's not a few bad apples--it's mostly bad apples.
Before that phone calls happens a bunch of other work has to be happen first - see the other answer for details.
All CAs are audited against the same guidelines: they should be requiring the same levels of proof. From what I've seen (our tech works with different EV providers) that's generally the case.
While EV is certainly more than a phone call, there are certainly flaws. The EV guidelines change over time and I'd like to get them tightened with additional requirements in particular circumstances.
Certificates issued by Let's Encrypt are cross-signed by IdenTrust and are trusted by all major browsers[1]. This is just about their own root certificate. Being cross-signed by an existing, trusted CA is a common practice for new CAs, as it would take years for the CA to become usable in practice otherwise.
Despite a fairly large number of users on XP still (2.5% of total users on some sites I manage), I'll give you that it works on non-obsolete OS browsers. However, those are not the only pieces in the world of security.
Java, for example, only started support as recently as 3 weeks ago (2016-07-19)
I put a LE cert on a project, and some folks calling the API with old Java clients couldn't trust the cert. They could have upgraded, but it was easier to get a commercial cert and be done with it.
Say what? Besides the faux security of the green bar for an EV cert, what's the difference between a LetsEncrypt and a paid one? (non-EV)