Could ISRG publish publicly the all IRS forms 990 (Return of Organization Exempt from Income Tax) and 1024 (Application for Recognition of Exemption), and any other potentially interesting document?
990s always lag behind a bit but a new one should come out every 12 months or so. The 2017 990 should be available soon through the usual channels.
The expense category ratios in later years are roughly the same as they were in 2017. Staffing costs are dominant, the rest is split roughly equally between the categories we use in 2017. Over time the amount allocated to cloud services has gone up a bit faster than the other categories due to higher log volumes (we use a specialized cloud provider for our short-term log storage and search capabilities because we don’t want to run our own ELK stack) and the fact that we have been working on a cloud-based CT log. In case people don’t know, we do not run any of the core CA infrastructure in the cloud. The infrastructure expenses for the core CA are split up between Hardware and Software and Hosting, but cloud service expenses are all in Hosting.
We decided not to go into that same level of detail after 2017 because as a summary it seemed to create more questions than it really answers. In part that’s because a lot depends on how exactly we categorize certain expenses and that is complicated. Again, the main takeaway is that staffing costs are dominant, and I think we mention that in every post.
Thank you josh for that detailed answer! It completely answer my questions
I have an additional question: https://letsencrypt.org/stats/ gives an idea of the number of requests received by Let’s Encrypt, but one metric is missing to get a complete picture of the load / size of the infrastructure needed:
Do you know how many OCSP requests Let’s Encrypt receive in average (Both directly and caught by it’s CDN provider)?
“Our infrastructure also generates and signs around 40 million OCSP responses daily, and serves those responses approximately 5.5 billion times per day.”
That’s from this post:
CDN offload is pretty high, above 90%. I’m not sure what the exact number is at the moment. In terms of resources on our end, obviously the CDN is doing a lot of work. On our end it doesn’t take much compute to sign and serve OCSP, the biggest issue is having enough HSM cryptographic signing capacity. HSMs aren’t cheap or easy to manage.
Has Let’s Encrypt considered using distributed computing and blockchain technologies instead of traditional HSM approaches to offset some of the cost and apply a newage technology stack that could truly open the SSL stack?
Agreee to keeping it free for certificates, but companies should pay for commercial use if they are chargimg customers for it. If they install a certificate for free, they ahould make a small donation of goodwill and to further your progress to keep it free and for future upgrades.
I agree with @orangepizza’s observations about the blockchain question. Also, in the Let’s Encrypt academic paper, we talked about this issue a little bit. See the “Gradual deployment is essential” section on page 2484 of https://dl.acm.org/citation.cfm?id=3363192. Many of the people working on Let’s Encrypt are conceptually enthusiastic about replacing or supplementing the CA system with something else, yet decided that the current Let’s Encrypt model was valuable enough to pursue now in a way that’s compatible with the installed base of TLS clients.