←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0.248s | source
Show context
weird-eye-issue ◴[30 Jun 25 10:27 UTC] No.44421562[source]
A company like Postmark should have just given them a free account on the condition they mentioned them at the bottom of emails or something

It's a valuable service for the average person to get these emails without having to set up separate monitoring

replies(2): >>44421824 #>>44422549 #
jaas ◴[30 Jun 25 12:41 UTC] No.44422549[source]
A free account for sending emails would not have changed the decision because it doesn't solve this:

"Providing expiration notification emails means that we have to retain millions of email addresses connected to issuance records. As an organization that values privacy, removing this requirement is important to us."

Now there is no contact information associated with issuance records.

replies(2): >>44422597 #>>44422793 #
mystraline ◴[30 Jun 25 12:46 UTC] No.44422597[source]
If they're that worried about having some random email associated, then perhaps they shouldn't also publish all certs they cut for domains?

https://crt.sh/

Publishing all SSL certs for domains is kind of worse than some random email.

replies(2): >>44422690 #>>44422733 #
woodruffw ◴[30 Jun 25 12:55 UTC] No.44422690[source]
That’s how CT works. They can’t not publish end-entity certificates to CT logs.

(But also, even if they could avoid this somehow: the entire point of a public CA is to publish end entity certificates. The “I want a public certificate while keeping a subdomain secret” model was never particularly coherent.)

replies(1): >>44422789 #
mystraline ◴[30 Jun 25 13:03 UTC] No.44422789[source]
The "I want basic encryption for this subdomain but not announce it to the world" seems rather sane as well.

I dont need cert transparency either. I just needed encryption... Which a self-signed would be fine. But the internet powers that be deem self-signed as 'evil'. And more webtech requires SSL (like you, websockets). Can't even use it locally without SSL.

Paying $x00 for a SSL from some commercial vendor is laughable these days, unless you need a code cert or a onioncert.

replies(3): >>44422893 #>>44422970 #>>44423162 #
1. crabique ◴[30 Jun 25 13:13 UTC] No.44422893[source]
Get a wildcard for the apex domain/higher-level subdomain, the "secret" subdomain will be covered implicitly.

If you don't want the certificate to be in the CT logs, your only options are a private CA or things like CF Origin certificate, depending on how the domain is intended to be accessed.

It's not the end user that "needs" CT, it is a mechanism to ensure no shady CA can misissue a certificate without being caught. Requirements like that are written in blood (see Symantec).