←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
314 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.205s | source
Show context
Tepix ◴[26 Jun 25 05:56 UTC] No.44384559[source]
I think certificates for IP addresses can be useful.

However, if Let‘s encrypt were to support S/MIME certificates, it would have a far greater impact. Since a few years, we have an almost comical situation with email encryption: Finally, most important mail user agents (aka mail clients) support S/MIME encryption out of the box. But you need a certificate from a CA to have a smooth user experience, just like with the web. However, all CAs that offer free trustworthy¹ S/MIME certificates with a duration of a year or more² have disappeared. The result: No private entities are using email encryption.

(PGP remains unused outside of geek circles because it is too awkward to use.)

Let‘s encrypt our emails!

¹ A certificate isn‘t trustworthy if the CA generates the secret key for you.

² With S/MIME you need to keep your old certificates around to decrypt old mails, so having a new one frequently is not practical

replies(7): >>44384654 #>>44384891 #>>44385019 #>>44385077 #>>44385105 #>>44386239 #>>44386412 #
wiktor-k ◴[26 Jun 25 06:56 UTC] No.44384891[source]
> ² With S/MIME you need to keep your old certificates around to decrypt old mails, so having a new one frequently is not practical

You don't need to change your decryption key - the new certificate can use the same decryption keys as the old one (certbot even has a flag: --reuse-key). Whether this is a good idea or not is a separate question.

I think the biggest benefit would be ACME-like automatic certificate issuance. Currently getting a new certificate is just too much friction.

replies(1): >>44385879 #
1. tengwar2 ◴[26 Jun 25 10:09 UTC] No.44385879[source]
The other thing I would hope for is wildcard certificates. I stopped using S/MIME because I usually create a new email (based on the same domain) for each vendor that I deal with. I would find it useful to be able to get a single certificate covering all email with that domain. Obviously that does mean that anyone else using an email from that domain would have to share the certificate, but for private use that can be acceptable - I don't worry about my wife reading my currently unencrypted email!