←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
314 points Bogdanp | 2 comments | 25 Jun 25 16:21 UTC | HN request time: 0.441s | source
Show context
Tepix ◴[26 Jun 25 05:56 UTC] No.44384559[source]
I think certificates for IP addresses can be useful.

However, if Let‘s encrypt were to support S/MIME certificates, it would have a far greater impact. Since a few years, we have an almost comical situation with email encryption: Finally, most important mail user agents (aka mail clients) support S/MIME encryption out of the box. But you need a certificate from a CA to have a smooth user experience, just like with the web. However, all CAs that offer free trustworthy¹ S/MIME certificates with a duration of a year or more² have disappeared. The result: No private entities are using email encryption.

(PGP remains unused outside of geek circles because it is too awkward to use.)

Let‘s encrypt our emails!

¹ A certificate isn‘t trustworthy if the CA generates the secret key for you.

² With S/MIME you need to keep your old certificates around to decrypt old mails, so having a new one frequently is not practical

replies(7): >>44384654 #>>44384891 #>>44385019 #>>44385077 #>>44385105 #>>44386239 #>>44386412 #
2000UltraDeluxe ◴[26 Jun 25 07:36 UTC] No.44385105[source]
A beautiful vision, but not practically viable. The average user isn't ready to handle private keys -- many can barely be trusted with their email passwords.

This means you either need centrally issued certificates for each domain, or face situations where legitimate users fail to obtain certificates, while cyber criminals send S/MIME-signed emails on the users' behalf.

Once a few generations of users have been trained to use passkeys then we can consider letting users handle key pairs.

replies(2): >>44387230 #>>44388964 #
1. jiehong ◴[26 Jun 25 13:30 UTC] No.44387230[source]
Maybe with a local passkey on device ?
replies(1): >>44388178 #
2. 2000UltraDeluxe ◴[26 Jun 25 15:09 UTC] No.44388178[source]
Based on my personal experience providing support for s/mime setups, you'd need: 1) A centralised solution for managing keys and certificates, connected to a login that the customer will be able to recover in pretty much any situation. 2) Email client support for fetching keys/certificates from the centralised solution. 3) A massive focus on usability and end-user support, because most email users have no idea what a certificate is, or how to use it.

Denmark actually has something similar to this (Sikker mail) but it's mainly aimed at businesses. Based on what I've seen, this resulted in a market for services that bypass the E2E aspect of it because business users can't figure out how to use it. It is also noteworthy that despite this s/mime being available for everyone, Denmark has a public digital mailbox for all citizens and businesses in order to ensure availability.

S/mime is great. It is also not suited for people who barelly know what it is.