User Certs on Let's Encrypt


#1

Hello, this may have been talked about;however i can’t find it. Are user certs on the road map for let’s encrypt or is that out of scope?


#2

There are two types of certificates you may potentially be talking about when you say “user certs:” client certificates and S/MIME (email) certificates. Neither are on the roadmap for Let’s Encrypt right now. And client certificates are generally not issued by a CA, but by the service that accepts them.

There’s a FAQ entry about email certs: Frequently Asked Questions (FAQ)


Are there any plans for LE to issue client certificates
#3

Can I use certificates from Let’s Encrypt for code signing or email encryption?
No. Email encryption and code signing require a different type of certificate than Let’s Encrypt will be issuing.

Maybe it would be nice to ad an short explanation why not technically it is no problem. And would
be promoting secure mails with and common used type. So is it possible to extend the FAQ with an short comment why this is not be planned ?


#4

well Code Signing certs probably have a rather different kind of trust needed since a software can do more or less anything if it has admin access for example and a signature makes the software look trustworthy, but what entity is a code signing cert usually given? Usually it’s the person or buissness or gov entity, eaming that a manual verification is needed and then automation wont work.

Client side certs are as @jsha already said usually given by the verifying entity (your webservice) because on what should LE base the trust to the client, email address would be possible, but it’s safer when each service gives out its own client certs because you cant be tracked that much over different ites if each service uses a different cert?

S-MIME could be possible (obviously by verifying your mail address, but LE has cert transparency, which essentially isnt a bad thing, but do you really want your E-Mail known to the public?
I rather use PGP with key exchange over a different medium.


#5

My1 for code signing it was clear for me why it is not supported. But exactly the explanation that it require another level of trust and verification could be added to the FAQ. S-MIME that can be used as Client Certificates to are an completely different topic.
Yes i did not consider CT but i think nevertheless there should e an switch to include accountMail into the certificate and verify it. Yes i also know the risks of spam but this would allow to use it for domain and mail. And the important point is that even it can be used for spam the signed mail it can also help to remove spam.

  1. If the side use to sign all mail automatic / forum etc… with this certificate you can block unsigned mails from that domain.
  2. I think many responsible domain holder have no problem if their mail is not only in whois but also in the certificate. Personal i even would prefer it even if it does not extend technical the trust personal the felling is good if there is an confirmed contact address.