Re: A proposal

even if a cert is $0 it is not zero cost.

Time and effort are not free.

All these options involve an ongoing management/maintenance cost as well

And are we really proposing the internet should be built on certs from 
free cert providers?  How will they stay in business or the certs remain 
free once the demand for free certs is multiplied by several orders of 

------ Original Message ------
From: "Peter Saint-Andre" <>
To: "Adrien de Croy" <>; "Nicolas Mailhot" 
<>; "Mike Belshe" <>
Cc: "Roy T. Fielding" <>; "HTTP Working Group" 
Sent: 20/11/2013 11:11:50 a.m.
Subject: Re: A proposal
>Hash: SHA1
>On 11/19/13 3:04 PM, Adrien de Croy wrote:
>>  I can't imagine a server author taking the step of requiring all
>>  their customers to suddenly buy certs.
>Using TLS does not mean one needs to buy a PKIX certificate from a CA.
>Some CAs issue free certificates, one can use self-signed
>certificates, one can provision keys in DNS (DANE/TLSA), one can use
>PGP keys, one can use anonymous DH cipher suites, etc. You might think
>some of those options are non-starters, but it's incorrect to say that
>mandatory TLS means we're forcing people to buy certificates from CAs.
>- --
>Peter Saint-Andre
>Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>Comment: GPGTools -
>Comment: Using GnuPG with Thunderbird -

Received on Tuesday, 19 November 2013 22:14:54 UTC