Most active commenters
  • weird-eye-issue(3)

←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 11 comments | 30 Jun 25 04:49 UTC | HN request time: 0s | source | bottom
Show context
weird-eye-issue ◴[30 Jun 25 10:27 UTC] No.44421562[source]
A company like Postmark should have just given them a free account on the condition they mentioned them at the bottom of emails or something

It's a valuable service for the average person to get these emails without having to set up separate monitoring

replies(2): >>44421824 #>>44422549 #
1. jaas ◴[30 Jun 25 12:41 UTC] No.44422549[source]
A free account for sending emails would not have changed the decision because it doesn't solve this:

"Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us."

Now there is no contact information associated with issuance records.

replies(2): >>44422597 #>>44422793 #
2. mystraline ◴[30 Jun 25 12:46 UTC] No.44422597[source]
If they're that worried about having some random email associated, then perhaps they shouldn't also publish all certs they cut for domains?

https://crt.sh/

Publishing all SSL certs for domains is kind of worse than some random email.

replies(2): >>44422690 #>>44422733 #
3. woodruffw ◴[30 Jun 25 12:55 UTC] No.44422690[source]
That’s how CT works. They can’t not publish end-entity certificates to CT logs.

(But also, even if they could avoid this somehow: the entire point of a public CA is to publish end entity certificates. The “I want a public certificate while keeping a subdomain secret” model was never particularly coherent.)

replies(1): >>44422789 #
4. ◴[30 Jun 25 12:58 UTC] No.44422733[source]
5. mystraline ◴[30 Jun 25 13:03 UTC] No.44422789{3}[source]
The "I want basic encryption for this subdomain but not announce it to the world" seems rather sane as well.

I dont need cert transparency either. I just needed encryption... Which a self-signed would be fine. But the internet powers that be deem self-signed as 'evil'. And more webtech requires SSL (like you, websockets). Can't even use it locally without SSL.

Paying $x00 for a SSL from some commercial vendor is laughable these days, unless you need a code cert or a onioncert.

replies(3): >>44422893 #>>44422970 #>>44423162 #
6. weird-eye-issue ◴[30 Jun 25 13:03 UTC] No.44422793[source]
It didn't need to be a requirement
replies(1): >>44423179 #
7. crabique ◴[30 Jun 25 13:13 UTC] No.44422893{4}[source]
Get a wildcard for the apex domain/higher-level subdomain, the "secret" subdomain will be covered implicitly.

If you don't want the certificate to be in the CT logs, your only options are a private CA or things like CF Origin certificate, depending on how the domain is intended to be accessed.

It's not the end user that "needs" CT, it is a mechanism to ensure no shady CA can misissue a certificate without being caught. Requirements like that are written in blood (see Symantec).

8. jcranmer ◴[30 Jun 25 13:20 UTC] No.44422970{4}[source]
> I just needed encryption... Which a self-signed would be fine. But the internet powers that be deem self-signed as 'evil'.

Self-signed certificates don't actually provide useful encryption, since they are trivially MITM-able.

9. woodruffw ◴[30 Jun 25 13:41 UTC] No.44423162{4}[source]
> The "I want basic encryption for this subdomain but not announce it to the world" seems rather sane as well.

Not really: we learned a hard lesson decades ago that encryption isn’t especially meaningful unless you know who you’re encrypting to. Self-signed certificates are the classic “your communications are secure, but you’re talking with satan” example.

As others have said: if you want to keep a specific subdomain label out of CT, you can issue a wildcard certificate instead. But the Web PKI as a whole is correct in not letting you do encrypted communication with a service without having some established notion of that service’s identity.

10. addandsubtract ◴[30 Jun 25 13:43 UTC] No.44423179[source]
Neither is sending emails :)
replies(1): >>44423577 #
11. weird-eye-issue ◴[30 Jun 25 14:15 UTC] No.44423577{3}[source]
Yeah, but nobody said it was a requirement

But it was obviously valuable enough for them to be doing it for over a decade

I remember it being helpful to me personally when I was using LE when it first came out