Will the issuance only be for domains?


Can I create a certificate for email, or my own certificate authority? Just wondering…


Certainly not…

[quote=“zagadaa, post:1, topic:1196”]
a certificate for email
[/quote]I think that the certificates will work for mail servers?


Yes, certificates will work for mail servers, see Use on non-web servers?.


Yes, but if you want to use LE certs for email encryption this is not possible:


but it would be epic creating a limited CA, eamsing it can only issue for domains that are verified and that for like a year,
so we might have a longer chain but that is intresting, the question is whether or not that would even work, because generally a CA can sign literally any site…


In theory, LE could issue CA certs that include “Name Constraints”, which – again, in theory – describes which names the certificate is allowed to sign other certificates for. Thus, an end user could apply for a certificate for, say, contoso.com, and LE would issue a CA certificate that would only be valid to sign domain names under contoso.com (foo.contoso.com, some.thing.else.contoso.com, etc.), and would prompt the big red “NOT TRUSTED!!” browser errors if used to sign anything else (such as google.com).

I stress the “in theory” part because, as far as I’m aware, support for this TLS extension is not yet very broad. Firefox supports it, as does OpenSSL as of 1.0.0, but Apple does not, nor does Microsoft. [At least, that was the case a year ago, the most recent update on this status I could find.] So while it would be really sweet to be able to get our own CA certs and not have to pester LE for each certificate we issue to ourselves (and could have more control over the ones we issue ourselves, e.g. defining the validity period), I don’t realistically expect LE nor any other CA to be issuing these any time soon…


but a limited CA that runs like one year so you also cannot go longer than that (coz 3 year certs have their own problems) is a really epic thing. I just wonder why the support status is so low and I wonder how chrome works about it…

but there’s one thing that’s batter than a limited CA, it’s called DANE, pretty epic stuff, but too little support yet, especially since you need a DNSSec DNS Server.


Well, I’m not sold on the idea that long cert expiries are inherently problematic (though I don’t mind the short ones that LE issues, either – really I just don’t care either way, to be honest). As for Chrome support I can’t find anything specific, but if Firefox supports it, and if OpenSSL supports it, I’m pretty sure Chrome would, being based in large part on good chunks of both.

And I certainly agree that DANE would be superb to have! Need much broader DNSSec support first, though; while more registrars are offering it, few third-party DNS hosts seem to – including Cloudflare, which I actually find rather surprising! Would have expected to see them giving us support for DNSSec before free SSL for everyone…


cloudflare already supports it? last time I read they had a beta for like 10 or so people.

also overly-long certs, like 3 years give the attacker a lot more time to attack it especially if it was made using broken standards or similar, what we not hope.


Yeah, re-reading my post that does look like what I’m saying, doesn’t it? I actually meant the opposite: Cloudflare does not currently support it (at least not generally – had forgotten about that beta), which I find surprising as it seems like something they’d want to offer before giving everybody free SSL.


well they want to do DNSSec White lies (live signing a freshly generated NSEC, keep reading for more) so the user gets more privacy because since everything needs to be signed and usually you keep your key offline until you change stuff the nsec (nothing in here) looks like "there is nothing between secure.example.com and ssl.example.com and since (including the root domain) it builds a ring people can easily snoop around your subdomains, well they technically arent really secret in the first place but some people tend to use these things as pseudo-secret…


That’s cool. Personally I don’t mind the NSEC subdomain “leak”, though I get why that would be upsetting to some.

For anyone trying to follow along, here’s Cloudflare’s discussion of the issues and the role of “white lies” in mitigating them.


I wouldnt need that and it would be great if those ppl can just say “I like it the normal way, so give it to me”…