
Let's Encrypt Team – Reddit AMA - ktta
https://np.reddit.com/r/IAmA/comments/5c9ku9/lets_encrypt_team_a_nonprofit_working_to_secure/
======
kbart
There was one interesting question and answer:

Q: _" I find that the reasons given in this thread[0] regarding a particular
certificate revocation are highly unsatisfactory. Can you justify how this
revocation aligns with the views expressed in "The CA's Role in Fighting
Phishing and Malware" without resorting to "Microsoft asked us to and
therefore we had to?"_

A: _" If we want to be a trusted CA we need to comply with the MS root program
rules (and Mozilla/Google/Apple/etc... rules). If they want us to revoke a
cert we have to do it, we don't really have a choice._"

So do I get it right, that if MS or any other big company doesn't like my URL,
site content etc. they can _ask_ to revoke my certificate just like that?
Wow..

0\. [https://community.letsencrypt.org/t/reason-for-revokation-
of...](https://community.letsencrypt.org/t/reason-for-revokation-
of-1076742682-rsc-cdn77-org/13807/14)

~~~
undisclos3d
That's a serious flaw in their program. Wonder what it would take to resolve
this

~~~
abstractbeliefs
Well, the onus is on the wider tech community to hold each of the vendors to
account for what they do and don't do.

There's a delicate balance of trust and cooperation between site owners,
vendors, and CAs, where each can make demands and has to serve to a degree
each of the others. In situations where this trust is broken by one party, the
other two will often move to reject them.

An example of this is a CA being rejected by a vendor after they issue invalid
certificates, but on the flip side, a vendor simply throwing a tantrum over a
bad domain and pulling trust will leave them as the only browser that "doesn't
work" with some number of sites, and that reflects badly on them and they will
see fewer people use their products (imagine if only Mozilla ended up
rejecting LE certs!).

------
undisclos3d
That's a serious flaw in their program. Wonder what it would take to resolve
this.

