Getting ready to issue IP address certificates

I think certificates for IP addresses can be useful.

However, if Let‘s encrypt were to support S/MIME certificates, it would have a far greater impact. Since a few years, we have an almost comical situation with email encryption: Finally, most important mail user agents (aka mail clients) support S/MIME encryption out of the box. But you need a certificate from a CA to have a smooth user experience, just like with the web. However, all CAs that offer free trustworthy¹ S/MIME certificates with a duration of a year or more² have disappeared. The result: No private entities are using email encryption.

(PGP remains unused outside of geek circles because it is too awkward to use.)

Let‘s encrypt our emails!

¹ A certificate isn‘t trustworthy if the CA generates the secret key for you.

² With S/MIME you need to keep your old certificates around to decrypt old mails, so having a new one frequently is not practical

PGP has WKD[1] (Web Key Directory) now if you want to use the TLS web of trust for email. TLS certificates are much easier to get than S/MIME certificates. Having a third party do the identity management can be good, but many people do not work for a company where that makes sense. ... and if you do work for such a company, it is better to do the identity management within the company.

I am currently appalled at how little of a wakeup call Signalgate 1.0 was and is[2]. Signalgate was, yet again, a failure of identity management in end to end encryption. You know, the exact thing that S/MIME certificates (or WKD) could help solve in a government environment if the resulting system was actually usable.

[1] https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-s...

[2] https://articles.59.ca/doku.php?id=em:sg (my article)