Exception to rate limits?

michael9 · June 26, 2016, 8:09pm

I work for a large University. We are very distributed. Is it possible to get an exception to rate limits? Paying for the exception should be doable as we are saving money on commercial certs.

Thoughts/Possible?

kelunik · June 26, 2016, 8:11pm

Just a short note:

Bought certificates aren't any more "real".

serverco · June 26, 2016, 8:14pm

It may be worth reading the thread on university rate limits - Rate limiting at an educational institution

michael9 · June 26, 2016, 8:23pm

Good point, I have edited my post.

tialaramex · June 26, 2016, 10:55pm

I doubt it makes sense to “pay for” an exception to the 20 names per week per domain limit because just making that possible adds a burden to the core Let’s Encrypt systems. And it’s certainly easy to imagine that even with the separate FQDNset limit (which has the effect of making renewals not count in that 20 per week) a university might turn over twenty names in a week and run into the limit anyway.

I know that quite a considerable number of universities in the world (but particularly Germany for some reason) have intermediate CAs which chain back to a commercial CA. In the environment that Let’s Encrypt has created it might make sense for a regional education organisation to cut a deal like this on behalf of all qualifying entities in its embrace. In the UK for example we can imagine Jisc (the entity that runs Janet, the network for higher education in the UK) might be interested in that role. They’d probably want to hand control over certificates issued this way to an IT department in each university. Probably ACME would still be appropriate in this scenario, but the ACME server would recognise authorised representatives from each university and issue any names in their domains on their say so. Something like that.

That’s not a neat and immediate solution to your problem, sorry. But it’s maybe part of a broader picture, rather than trying to make everything fit one particular way of doing things.

jvanasco · June 27, 2016, 8:46pm

It shouldn't add a burden to the systems. It would add a burden to the engineers and product, but the systems would not necessarily be affected, as other methods of rate limits would still apply (such as the number of registrations through an IP address).

It would make sense to me if LetsEncrypt offered a premium services that could bypass limits for domains or ip addresses.

kelunik · July 3, 2016, 2:55pm

This is a quite questionable practice. I don't know why universities need their own CAs that could compromise the entire web. In particular, I don't see the need if these CAs are anyway operated by the DFN instead of the universities themselves.

system · August 2, 2016, 2:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.