The fundamental error at the very beginning was, two very separate topics got merged into one, all because of the American system's philosophy that everything should be monetized.  Of the two topics, (1) https/encryption and (2) vetting of vendors, the https/encryption should have been purely a technical standard, freely available to anyone to implement.

The height of the resultant perversion was reached when we got the "green bar" era.  What was supposed to be an indicator of the degree of scrutiny/vetting that the vendor passed, became perverted into "the more they pay, the greener the bar they get".

If the certs industry wants to survive at all, let them finally work for their money by spending time and research on actually vetting vendors, and let the browsers never participate again in such a perversion.

Long live Let's Encrypt, who rescued us from this.

Hartmut


On Sun 12 Apr 2026 at 07:24:46 -05:00, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2026-04-12 Adam Thompson wrote:
> But, yeah, it's here, it's real, and it's a massive shake-up in what
> was already a desperately perverse marketplace (not Trevor, I mean
> the CAs).

A scary rabbit hole to descend down is the thought that Let's Encrypt
(LE) is 60%+ of the cert market already.  This change will probably
make them 99% of the market.  That will give them more market share,
and leverage, more than even gmail has over mail.  This is once a space
that had, what, 6-8 decent-sized competitors duking it out for business?

Talk about single point of failure, single disgruntled-employee
target, single hack target, single gov manipulation target, etc.  And
for those who aren't USA-happy, they appear to be 100% under the
jurisdiction of USA laws.  If I'm other country govs, I'm a bit worried
right about now.  Oh, we don't like your site?  No cert for you!

It would appear the real reason behind all of this is to push everyone
into a validate-every-10-days subscription scheme from big players (or
LE) as well as consolidate the market and force more little setups into
big tech hosting.  Kind of like email hosting: just make it so darn
hard & annoying that no one (except me!) will do it.  The "muh quantum"
and "muh CRLs" would appear to just be scare tactics and obfuscation.

I checked into converting my digicert certs into their ACME-compatible
offering and you basically are then in "enterprise" pricing.  Meaning
no one under 500 employees need apply.  Meaning, it's not even an
option even if I want to go direct!  There are a couple of other
smaller resellers with ACME, but they would appear to require writing
entire oauth/REST API code to make it work, not to mention the normal
overhead of setting up a new business relationship, with the
concomitant risk of jumping through all of the hoops to find a dead
end.

I'm most of the way through setting up uacme with LE using my custom
scripts/templates and it's going pretty well.  If anyone needs to
accomplish similar with salt or ansible or whatever, I can recommend
this highly-scriptable solution, though the docs are a bit sparse on the
paradigms.
_______________________________________________
Roundtable mailing list -- roundtable@muug.ca
To unsubscribe send an email to roundtable-leave@muug.ca