Have a “pay what you want” option when getting a LetsEncrypt cert, where the amount can be (and usually would be) zero, and display that amount in the cert details shown to the browser user when they click on the green lock icon.
For full combinatoric privacy coverage, there can also be an option to create a cert whose details say that the issuee has chosen not to reveal their payment status – and this option would be available to everyone, whether they paid anything or not.
Thus the possible things one could see when looking at a cert’s details are:
Issuee paid X amount for the cert (where X could be zero).
Issuee does not wish visitors to know anything about payment status.
So if a giant company is paying zero, well, that’s fine, but then they either have to declare that fact on every web page to sufficiently curious web visitors, or they have to visibly choose not to reveal.
I realize that the various cert issuance interfaces are not all equally amenable to including payment flow in the UI, so I’m hand-waving on some of the implementation details here. But this is in principle possible, and for any given interface – at least of the ones I’m familiar with – I can think of some ways to make it work.
Also, a related idea: give donors – those who donate the old-fashioned way, via the web site – a unique code that they can (optionally) use when obtaining a cert, such that the cert would show that it is associated with a donor and (again, optionally) show the amount.
I think it would be technically possible by adding a non-critical certificate extension, but there’s no way browser makers would be convinced to clutter the UI with something that is pure vanity. They’re not even willing to display EV names anymore.
If we’re kicking around fundraising suggestions, I think giving individuals on this forum a donator/donator tier title or icon would be neat. Kind of like in Twitch chat. A nice way for individuals to show gratitude outside of the “Praise” category.
Hi, @stevenzhu. Yes, this doesn’t conflict with that mission statement. The amount can be zero; therefore, certs are still free. What this really is is a convenient way to make a donation and help circulate a cultural expectation around donating (especially for organizations that can obviously pay something).
I don’t know enough about CA/B forum rules to evaluate your statement about that. I assume that the rules are there for a reason and can be changed or clarified if the rulemaking body chooses to do so.
“The process could generate a unique URL on the LetsEncrypt web site. Handle payment there, then give user a unique token to feed into the cert (re)generation UI. User chooses how many cert renewals to divide the amount across.”
Even in the certificate details display? Sure, they aren't going to show it in the browser bar, but I'd think it would be easy enough to show it in the details. Of course, that means pretty much nobody's going to see it...
So, to be clear, this is how it would look (unless you convinced Apple, Microsoft, Google, Mozilla to all implement a new parser for this new vanity certificate extension so that it would have a proper title and description).
I don't think that's particularly appealing to anybody. And every extension you handle is a potential security risk (phishing if it allows arbitrary text, or the possibility to crash/exploit the browser's parsing code). And it bloats the certificate size.
Wow, @kfogel, thanks so much for your support. It means A LOT and this idea is so much fun!
I’m Jenessa, I’m on the fundraising team at Let’s Encrypt.
I think just reiterating a lot of what was already said on this thread - that would be a potentially really big undertaking! And while this whole awesome free, non-profit certificate authority is a HUGE undertaking, I think this would add another whole step into our automation and ease-of-use that’s not currently there.
That being said… I’m super excited for some of the things we are doing with our sponsorship program that I can’t wait to share with you all in the coming days! While not EXACTLY like this, it’s pretty cool.
Also - one really neat thing that I (personally) would love to see more implementations of Let’s Encrypt do (like Web hosters, for example) is similar to what Netlify does: https://twitter.com/edm00se/status/1169271950725779461 It points back to us as a certificate authority to folx using our certificates in a very easy way!
But really, thank you for this post and the idea. We love it when our community and users give back to Let’s Encrypt, which can always be done here: https://letsencrypt.org/donate/
Hi, @jple. Thanks for your reply. That makes sense – this might just be too much effort to be worth it; that’s not for me to decide, since I wasn’t supplying a patch or anything :-).
Responding to @_az: Well, the real benefit comes, I think, not when an individual browser user clicks on the green lock icon to see cert details, but in the fact that donor status would now be conveniently and parseably available (it could be scanned for, parsed by browser extensions, etc). In other words, it’s a technical hook that potentially enables a reconfiguration of cultural expectations/norms – hopefully leading to more money for LetsEncrypt. But again, I can’t really argue with @jple that it’s probably too big an effort to take on.
Meanhile, the Netlify thing she pointed to is indeed very exciting, and will probably have a greater effect than this idea would have, considering that that’s the kind of interface through which most people (I’m guessing) get their certs these days.