Certificate revocation

I was wondering about censorship. Is it possible that Let’s Encrypt might someday go the same route as cloudflare (a paid for service against ddos attacks) and participate in Internet censorship of a domain by revoking its (free) certificate? Just curious, in this day and age.

I think this is a great service, but could this at some point be in the middle of a controversy?

Hi @knuckles,

There are a lot of Internet intermediaries out there that have the power to interrupt people's online communications:

Certificate authorities like Let's Encrypt are one of those. Let's Encrypt generally aims for content neutrality and wants people to understand that intermediaries like certificate authorities are not the authors of online content and should not be in the business of picking who does or doesn't get to have a web site. All that Let's Encrypt does is confirm that particular encryption keys belong to particular sites; hopefully people won't press to have this kind of clerical function denied to sites that they find objectionable.

The main existing thread related to this is

but the issue has also come up in other contexts, including very recently

In principle, Let's Encrypt's operations are subject to decisions of both U.S. courts and browser root programs, and they might try to get Let's Encrypt to revoke certificates for a reason other than key compromise or invalidity. Some other related threads are

There have been movements for years to try to make Internet communications more decentralized and less dependent on such large numbers of intermediaries. But I think that most people's experience of Internet services has been headed in the direction of greater centralization and greater intermediation. Conceptually, it might be great if people didn't have to rely on DNS providers, CAs, or other organizations in order to be able to communicate online. There are lots of projects that explore this space and there have even been conferences and workshops that focused on decentralizing communications and removing potential communications bottlenecks. But most of the alternatives have remained pretty marginal for most purposes.

I hope that people will accept and respect the norm that intermediaries like CAs are genuinely not responsible for Internet content and that it's not CAs' role to decide who can communicate online or what they can communicate. This norm has brought a lot of benefits. A very concrete one is that Let's Encrypt is able to operate as a not-for-profit organization that doesn't charge fees for certification services because its operations are almost entirely automated and human beings don't routinely review certificate requests either before or after certificate issuance.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.