(letsencrypt.org)

489 points gslin | 1 comments | 20 Nov 24 06:13 UTC | HN request time: 0.216s | source

Show context

wannacboatmovie ◴[20 Nov 24 07:55 UTC] No.42191675[source]▶

>>42191228 (OP) #

Nothing makes me trust a site with my payment info more than seeing a LE or domain-validated certificate with no ownership details in the DN.

replies(3): >>42191704 #>>42192128 #>>42192826 #

aaomidi ◴[20 Nov 24 08:02 UTC] No.42191704[source]▶

>>42191675 #

The rate of misissuance of EV and OV is much higher than DV.

replies(1): >>42191748 #

wannacboatmovie ◴[20 Nov 24 08:13 UTC] No.42191748[source]▶

>>42191704 #

Source? I'm not questioning it, I'd like to know more. DV always seemed vulnerable to DNS tampering.

replies(2): >>42191943 #>>42200064 #

1. aaomidi ◴[21 Nov 24 01:24 UTC] No.42200064[source]▶

>>42191748 #

I’m active in the WebPKI community (you might want to check out my Substack: https://webpki.substack.com/)

EV and OV when it includes dns names still requires domain control validation anyway.

EV certs are generally manually verified. This means there’s a human factor in the middle of this process. DV certs can, and should, be fully automated.

Multi perspective validation is about to be required too: https://cabforum.org/2024/11/07/ballot-smc010-introduction-o...

↑

Let's Encrypt is 10 years old now