CertSimple 5: DBA support, instant rekeying, flat pricing (certsimple.com)
18 points by alecmuffett 2 hours ago





Author here: if people aren't familiar with webcrypto (https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_...) it's a way to do real crypto, using the OS and openssl / boringssl (Google's openssl fork). I.e., it's not 'JavaScript crypto', but actually has proper randomness, hence properly unguessable keys. When we make keypairs with webcrypto, the private key never leaves the browser, so CertSimple doesn't know it.

That said, if a user prefers to make keys on their own machine we create a custom bash / powershell script to create the necessary CSR and private key in a single paste - no clicking, no Q and A, and without installing anything.

WebCrypto is browser Javascript crypto. You cannot rely on it to allow browsers to keep secrets from servers: the server has a variety of different straightforward ways to compromise cryptosystems it feeds to browsers.

Randomness is far from the most important problem with browser Javascript crypto; critics of browser crypto generally assumed that browser Javascript would get secure randomness at some point. The most important problem with this scheme is that there's no way to provide assurance that the browser JS runtime is what the user of an application expects it to be.

WebCrypto was chartered as a way to recreate the DRM schemes that Flash video plugins relied on, without needing plugins. You can read the working group notes to see that. It was never intended as, and cannot function as, a way of creating "server-proof" crypto apps.

It'd be nice if CertSimple had a LetsEncrypt (obviously with some kind of auth - perhaps based on a secondary private/public key pair unrelated to the certificate(s)?) style tool to allow issuing/renewing certificates for a known account.

I understand that the initial proof of entity needs some human involvement on our end, but surely once it's proved, renewals could be automated?

Automated issuance is on our roadmap and ACME/Certbot support is something we'd like to do if possible. We still have some prequisites we need to sort out first (like proper subscription billing) but the idea is solid. ACME would be preferable over a custom automatic renewal mechanism since theoretically it would allow existing clients to get and renew EV certs automatically but we'll have to start actually hacking it to see.

You still need to reconfirm identity before the new cert is issued. E.g., we have a lot of startups as customers and they often forget to pay a bill, and are no longer an active entity according to their Secretary of State (we flag this up before payment). So it wouldn't ever be entirely automated but that doesn't meant we can't do automated renewal: ACME tries to renew repeatedly a month before the cert expired and we can block until identity is reconfirmed.

Do you have the specific steps/requirements for each country documented somewhere?

The country, and TLD, and type-of-business (active registered company, DBA, sole prop, onion), and other logic (detecting inconsistencies between data sources, determining if whois privacy is in use, etc) are implemented and documented in source code - CertSimple itself is an engine to meet those rules and handle those exceptions.

The requirements for EV itself are in CABForum docs, see https://certsimple.com/blog/are-ev-ssl-certificates-worth-it for an overview.

