StartCom termination announcement

[Moonchild]

So, it looks like the bullies won; StartCom as a CA has been strong-armed into folding as a business.
This morning I received an e-mail from them, announcing their termination as a CA:

Subject: StartCom termination announcement

Dear customer,

As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcom's website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years.

StartCom would like to thank you for your support during this difficult time.

StartCom is contacting some other CAs to provide you with the certificates needed. In case you don't want us to provide you an alternative, please, contact us at {{redacted}}

Please let us know if you need any further assistance with the transition process. We deeply apologize for any inconveniences that this may cause.

Best regards,

StartCom Certification Authority

[Thehandyman1957]

This is a sad trend, and I'm seeing it in many different places. How will this effect you or the project?

[Moonchild]

This is a sad trend, and I'm seeing it in many different places. How will this effect you or the project?

It affects me and the project by needing less flexible and much more expensive CAs to get certificates.
I'm in the process of setting up code signing with Certum, and have moved web certificates over to Comodo. I'll be phasing out palemoon.net SSL because it's a double expense for that I can't keep making with a per-domain purchase instead of StartCom's per-identity purchase (which makes a lot more sense but hey, per-domain brings in more money).

As an aside: If anyone is familiar with Certum's cryptographic card use, I could use your help. I have a certificate issued, and it and the private key pair are on the crypto card, but for the life of me can't manage signtool to grab it for signing. I sent their support department a request for help but received no reply.

[joe04]

Here's some backstory for context:
viewtopic.php?p=117501

A recent issue supported by let's Encrypt's crap CA practices: I bought something for a specialized t-shirt shop in the past. Recently, a different company copied their website under a very similar sounding name, after having bought or scraped past customer e-mail addresses (most likely it's been (through) their Chinese distributor that they were having issues with getting shirts actually delivered that were ordered), copied their products into it, and then sent out mass e-mail to past customers pretending to be the original company. Their website was, you guessed it, SSL-enabled with Let's Encrypt. With how LE won't revoke any certificates, it means that the cert will be valid and active for the full 3 months and there's nothing the original company can do about it except sending e-mail out to their past customers warning about the fraud, which they have. in 3 months, the shell company will have had a bunch of orders that were paid without fulfilling them, and probably will have people lose their money to it.

This is the only place I've heard about the drawbacks of Let's Encrypt. The few other places I've heard it mentioned seem to think of it as a way to some SSL utopia.

btw, LE recently reached their 100 millionth cert issued:
https://letsencrypt.org/2017/06/28/hund ... certs.html

[Moonchild]

Let's Encrypt is not a party I trust, period.
Besides, it'd still not help me with code signing, even *if* I wanted a 1-factor, no-verification type of SSL on my websites.