NamesCon2020

Epik and #1 SSL CA Sectigo (formerly Comodo SSL) partner. DNEncrypt to be Intermediate CA.

Labeled as Selling in Promotional started by Tin Nguyen, Nov 23, 2019.

Replies:
76
Views:
3,103

  1. Tin Nguyen

    Tin Nguyen Epik | DNEncrypt Consultant Epik.com Staff VIP

    Posts:
    858
    Likes Received:
    390
    User's Time:
    9:26 AM
    Great news everyone!

    Yesterday, Epik entered into a 2 year operating agreement with SSL market leader Sectigo (formerly Comodo SSL) to become an intermediate certificate authority to issue SSL certificates across all brands of Epik Holdings, Inc.

    This will allow all sites in the SSL lander network to be equipped with Domain Validated (DV), Extended Validated (EV) or Organization Validated (OV) certificates instead of the current LetsEncrypt certificates.

    This is important because we don't know for how much longer LetEncrypt will allow the creation of bulk SSL certificates to produce SSLs for free at will, even for organizations with lots of IPv4's as we have.

    We also don't know whether major search engines will start to view LetsEncrypt certificates as being less compelling as an authority signal versus a paid cert.

    More announcements coming, but for now, this give us a 2 year window to become a full Root CA while delivering on the vision for DNEncrypt as an alternative to LetsEncrypt.

    Please let me know if you have any questions.

    Tin Nguyen

    @Rob Monster
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. netlas

    netlas Established Member

    Posts:
    23
    Likes Received:
    15
    User's Time:
    10:26 AM
    Google is a major backer of LetsEncrypt.
     
  3. equity78

    equity78 Top Member TLDInvestors.com TheDomains Staff PRO VIP ★★★★★★★★★★

    Posts:
    13,751
    Likes Received:
    13,747
    User's Time:
    7:26 AM
  4. NYJimbo

    NYJimbo Domain Re-Animator VIP

    Posts:
    2,646
    Likes Received:
    4,630
    User's Time:
    10:26 AM
    LetsEncrypt isn't going anywhere, and its free. All of my hosting customers (windows and linux) use them.
     
  5. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    There is no formal press release yet however, I can confirm that the agreement was executed on Friday. The legal entity DNEncrypt, Inc was filed with WA SOS on Friday. Tin advised on the deal with Sectigo.
     
  6. equity78

    equity78 Top Member TLDInvestors.com TheDomains Staff PRO VIP ★★★★★★★★★★

    Posts:
    13,751
    Likes Received:
    13,747
    User's Time:
    7:26 AM
    It's funny someone disliked if you made an official press release @Rob
    Oh ok I just asked because I would have written about it, apparently one of your supporters didn't like that.
     
  7. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    I think Samer might have misread your comment. :) There was not anything in your comment to dislike.

    As for your question, it is fine to write about it. I would probably write about in the context of the broader ecosystem of products that is unfolding to deliver a more resilient and decentralized internet.

    This was hinted at here:

    https://www.namepros.com/threads/hi...ct-managers-and-executive-leadership.1162639/

    Some important pieces are falling into place. I believe we are now the only company in the world that has assembled the full stack:

    - Registry management
    - Registrar
    - Hosting
    - SSL Certificate Authority
    - Content Delivery Network
    - Denial of Service Mitigator
    - IPv4 and IPv6 owner (RIPE member)
    - BGP and ASN operator
    - VPN provider

    The SSL project completes the stack. We can deliver end to end encryption to the edge of the network.

    The last big foundation piece we are working on is the so-called Toki server. Here is a very rough demo:

    https://us.tv/videos/watch/970e088e-758d-40cc-b56a-45dee8614a0f

    It is a $50 server running a proprietary Linux distro that can provide ~500 people with an Internet connection and can run up to 24 hours on a $20 battery for a server that is a little bigger than a deck of cards.
     
    Last edited: Nov 23, 2019
  8. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    For more context on why it is interesting to be pursuing projects that increase resiliency in the full Internet stack while decentralizing more functionality, this is a decent read:

    https://spectrum.ieee.org/tech-talk...rnet-censorship-hangs-over-hong-kong-protests

    There are a lot of of innovative projects happening to increase resiliency. The Epik approach preserves the domain name as being the addressing system versus Blockchain that sends domains to the scrap heap.
     
  9. tonyk2000

    tonyk2000 Top Member VIP ★★★★★★★★★★

    Posts:
    1,565
    Likes Received:
    2,144
    User's Time:
    10:26 AM
    (quote begin)

    To increase trust in the application of PKI technology, the CA/Browser Forum has mandated that a CA, in order to issue Publicly-Trusted Certificates, obtain an audit report under a qualified audit scheme performed by a qualified auditor.

    In order to issue SSL certificates, most CAs will need to complete an approved independent third-party audit. There are three alternatives. The first is an audit against WebTrust for Certification Authorities criteria, issued by the WebTrust for Certification Authorities Task Force-a joint task force of the American Institute of Certified Public Accountants and the Chartered Professional Accountants of Canada (CPA Canada). Specifically, WebTrust for Certification Authorities and WebTrust for Certification Authorities – SSL Baseline Requirements Audit Criteria have been developed to meet the CA/Browser Forums Baseline SSL Requirements.

    Another alternative for an independent third-party audit is an audit that conforms to ETSI EN 319 411-1 or ETSI EN 319 411-2. These standards are published by the European Telecommunications Standards Institute (ETSI).

    Also available, but rarely used is an audit that conforms to ISO 21188:2006

    (quote end)

    Source: CA/Browser Forum

    I belive the above is applicable (and originally intended) to those Certification Authorities who issue Extended Validation (EV) Certificates to begin with, and/or to Root CAs (I may be mistaken here).

    Even though the requirements for Intermediate CAs (Epik/DNEncrypt case) may not be that strict from practical point of view, may I ask was Epik/DNEncrypt audited, and, if so, by whom and what is an outcome of said audit ("official" signed document, is it published, can we read it)?
     
  10. NameDeck

    NameDeck SaveDotOrg.org VIP

    Posts:
    3,220
    Likes Received:
    2,041
    User's Time:
    4:26 PM
    Congrats. That's quite the accomplishment.

    Just wondering why you think let's encrypt is going away at some point? It's more popular than ever and last time I checked there are no signals suggesting they will stop being free.

    On the contrary, they have actually been implementing more features (wildcards etc). I get Epik an subsidiaries want to be sovereign but this comes across a bit negative about let's encrypt. They are actually a major game changer when it comes to SSL.
     
  11. Tin Nguyen

    Tin Nguyen Epik | DNEncrypt Consultant Epik.com Staff VIP

    Posts:
    858
    Likes Received:
    390
    User's Time:
    9:26 AM
    Hi @NameDeck,

    Thanks for your comment and input. To clarify, we do not believe LetsEncrypt is going away and I agree that they're only gaining in popularity and sponsors, rather Epik's reliance on LetsEncrypt is being phased out.

    @tonyk2000

    Thank you for the information and input. Our Sub-CA (Intermediate) technically belongs to Sectigo (formerly Comodo SSL) and as such, Sectigo needs to meet the strict standards and audit requirements. Sectigo is WebTrust certified, and in order to maintain compliance, they are required to undergo a program of continuous scrutiny with formal reviews at least once every 6 (six) months.
     
    Last edited: Nov 24, 2019
  12. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    In case not aware, LetsEncrypt throttles production. Right now, that throttle is a relatively generous 300 SSLs every 3 hours for every unique IP for a maximum length of 90 days. This is described in the published rate limits for the ACME API and are subject to change:

    https://letsencrypt.org/docs/rate-limits/

    Now, with a /22 IPv4 you get 1022 usable IPs. So, theoretically someone with a /22 could produce more than 2 million unique SSLs per day. Now, let's suppose a bunch of clever folks decided to do that for domains and subdomains, pretty soon you would have a crap load of free SSLs out there and all of a sudden LetsEncrypt is the market leader in SSL/TLS. It has probably already been done with subdomains.

    Officially, in market share reports, I don't see LetsEncrypt being counted as reports show Sectigo as the overwhelming market leader My sense is that what Sectigo sees in this partnership is allowing free 90-day certs to be issued makes a clear path to upgrading to higher end certs as the digital brands transition from landers to sites. This is a classic "Point of entry" strategy for Sectigo. DNEncrypt can help there. Win-win.

    Right now, LetsEncrypt allows anyone to issue certs. There is basically zero vetting or curating. Why should browsers trust it when it puts thugs and crooks are on the same level as honorable site operators? At some point, LE can systematically begin banning domains. Who decides? Not sure. If national governments can turn off the internet, can those governments pressure LE to block certs for those countries? Possibly.

    There is a good discussion here:

    https://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html

    Governance is also a really important question. If .ORG can be acquired by Ethos, I think safe to say that in the digital theater anything can happen just as Oracle bought MySQL.

    Specific to Change of Control, from what I can tell, it is extremely hard to find a copy of the articles of incorporation for the parent entity. I will pay $100 in Epik account credit to the first person who can find a copy of their Articles of Incorporation for Internet Security Research Group. As near as I can gather, you may have to go visit them at 1 Letterman Drive in San Francisco to get it! Transparency anyone?

    The final notable thing that our engineers recognized is that there will be some important challenges in the network architecture for Toki servers going forward where we might have a very large number of decentralized Toki servers, e.g. 1 million Toki servers in a few years from now. Each one has to maintain end-to-end encryption with no risk of man in the middle attacks, even if no VPN is installed on the client.

    As you can see, there is some logic to why we felt it wise to vertically integrate this competency in order to complete the stack. This arrangement gives us 2 year window to do it well, while navigating the decision on how to become a Root CA. I am happy with it and think Sectigo is too.
     
  13. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    For anyone interested, here is a good primer on TLS by Eric Rescorla, co-founder of LetsEncrypt:



    Since he talks fast, some people seem to like the idea of watching it at 0.75X. :)
     
  14. Randolph

    Randolph Reverse Engineer

    Posts:
    151
    Likes Received:
    178
    User's Time:
    10:26 AM
    Great job, Tin. This is big.

    I don't believe LetsEncrypt will ever lose it's validity but Epik's use case certainly warrants this. Frankly, the industry needs more CAs.

    All Articles are public record and can be found by searching Google for "_state_ business entity database". They will not always list them by name, you will see a list of business documents, select the oldest date and it should be their Articles.

    ARTS-PB, Internet Security Research Group
    https://businesssearch.sos.ca.gov/Document/RetrievePDF?Id=03569614-16391090
     
  15. oskaaay

    oskaaay Founder, GetDomainData.com

    Posts:
    370
    Likes Received:
    259
    User's Time:
    4:26 PM
  16. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    Yes, did that and also went to the CA SOS site, which includes some periodic updates. What you found there is a cover sheet with a single paragraph amendment. The full Articles of Incorporation or Bylaws of the Corporation seem extremely hard to find on any public site, which is interesting since they are incorporated as a California Public Benefit Corporation.

    On the California SOS website, you get only this:

    upload_2019-11-24_7-48-8.png

    I am no expert on Public Benefit Corporations, but I believe they are required to file some additional disclosures including Public Benefit Reports.

    It is super-cool that they have issued more than 800 million SSLs:

    upload_2019-11-24_7-53-47.png

    Question is: Cui bono?

     
    Last edited: Nov 24, 2019
  17. tonyk2000

    tonyk2000 Top Member VIP ★★★★★★★★★★

    Posts:
    1,565
    Likes Received:
    2,144
    User's Time:
    10:26 AM
    Cui bono? If *they* really wanted to have all the internet secured with ssl/tls, the most logical way would be to "whitelist" self-signed certificates. Instead of showing a bunch of red warnings for self-signed ssls... and instead of starting this letsencrypt project. Anybody can obtain domain validated ssl for almost any domain using letsencrypt or cpanel-powered instant sectigo cert, which is also free and 3 months long. It proves that the requester owns the domain name (or has technical control). So does self-signed certificate (one should be able to point the domain to a server in order to run a website with a self-signed certificate). Real encryption is the same. The only practical difference is that it is still not easy to run a clone of lets say paypal.com with self-signed cert. locally (and somehow hack dns of the nearest public wifi hotspot to send paypal visitors to a clone). But such a difference is caused by extended validation (paid) ssls if we think about it...

    So, free-for-all ssls are, honestly, one big nonsense. Imho. They serve no purpose. Except that the browsers with their default settings are checking validity of each and every ssl each time the "secure" website is loaded;). So, somebody has access to all (ssl-protected) website names visited by each particular individual. What a surveillance klondike for the orwellian society. Sorry if offtopic, but hope it is OK - still Epik related :)
     
    Last edited: Nov 24, 2019
  18. NameDeck

    NameDeck SaveDotOrg.org VIP

    Posts:
    3,220
    Likes Received:
    2,041
    User's Time:
    4:26 PM
    So how is this a bad thing? I know for your usecase you'd like to be as independent as you can possibly get but how would using Sectigo be any different? If I'm not mistaking they can be concidered the marketleader so wouldn't that leave you vulnarable to the same thing? Also, they're owned by an equity firm so... don't need to explain my concerns about that.

    As for ratelimiting, its's even worse actually. You can use it with ipv6 so the number of ips you can use to request certs from are 'limitless'.

    Do I understand correctly that you think that sectigo expect that people will upgrade their DV certs used for landers to EV certs lateron? Or is that your projection? I think that's the only part where DNEncrypt could make a real difference. Affordable/free EV certificates. Integration for Toki is cool though. I love that project.

    But, how is allowing anyone to generate a cert a bad thing? Its the encryption that matters and they are audited by Webtrust just the same, following set industry standards. I wouldn't say theres no vetting or curating.

    I don't buy into that article you linked. It's all whatif/then/else/or... hearsay. The same 'security issues' can be attributed to any CA.

    I think this is where the real win is for you. To be clear, I'm not trying to attack you but merely engaged as the content of the post from OP doesn't do justice to the huge accomplishment of LetsEncrypt.

    Now what I'm really curious about is will you be looking into offering affordable/free EV certs? I think that could disrupt the market even more and be a real gamechanger. Securitywise.
     
  19. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM

    Thanks Tony.

    When it comes to free anything with no apparent strings attached, some healthy skepticism seems appropriate. I have not done a deep dive on the governance of LetsEncrypt, but I like the idea of there being alternatives, just as BitMitigate is an emerging alternative to "free" CloudFlare, and with no hidden agenda.

    So, I think your comment is not off-topic at all. That being said, what is a "Surveillance klondike"?

    upload_2019-11-24_8-45-18.png

    Is that like a "Covfefe" or did you invent a new expression that is begging an explanation so the rest of us can keep up with that sharp intellect of yours?
     
  20. NameDeck

    NameDeck SaveDotOrg.org VIP

    Posts:
    3,220
    Likes Received:
    2,041
    User's Time:
    4:26 PM
    That's a misconception of what SSL/TLS is about. It's about encrypted connections/data. Not about trust of a website.

    I think every website should use it this day and age. There's no technical or monetary reason not to do it.
     
  21. NameDeck

    NameDeck SaveDotOrg.org VIP

    Posts:
    3,220
    Likes Received:
    2,041
    User's Time:
    4:26 PM
    Unfortunately just when it's emerging they dropped the free tier?
     
  22. tonyk2000

    tonyk2000 Top Member VIP ★★★★★★★★★★

    Posts:
    1,565
    Likes Received:
    2,144
    User's Time:
    10:26 AM
    Not covfefe. Sorry, I'm not thinking in English :) It seems I translated the phrase wrong. I simply meant the The Klondike Gold Rush - Canada, between years 1896 and 1900, gold "fever" or whatever was it called. And added it as adjective implying "golden, perfect, great" with the "Surveillance" noun.
     
    Last edited: Nov 24, 2019
  23. tonyk2000

    tonyk2000 Top Member VIP ★★★★★★★★★★

    Posts:
    1,565
    Likes Received:
    2,144
    User's Time:
    10:26 AM
    By the way, does Epik *acting as CA* have plans to offer normal paid 1-2 years ssl certs for external domains, not necessary for sale domains or Epik-regged domains? Pricing? The best I found so far are from NameCheap and from their ssls.com brand (cheaper).
     
    Last edited: Nov 24, 2019
  24. Rob Monster

    Rob Monster CEO, Epik Epik.com Staff PRO Gold Account VIP

    Posts:
    3,202
    Likes Received:
    11,395
    User's Time:
    7:26 AM
    If you mean CloudFlare, they still have a free plan but you share a SSL certificate with ~50 total strangers. That does not seem like a genius move to me but for each his own.

    If you mean BitMitigate, we do have free BitMitigate bundled with products like SSL landers, and cPanel hosting. It is tightly bundled in the Resilient Domain service.

    The revenue model of BitMitigate is self-sustaining. If you use a free CDN/DDoS service, then you have to ask again Cui Bono? I am pretty sure you know that CloudFlare started out as "Project Honeypot".

    Do a Toki search: https://toki.com/?q=cloudflare project honeypot

    You find gems like this: https://www.projecthoneypot.org/about_us.php
     
  25. tonyk2000

    tonyk2000 Top Member VIP ★★★★★★★★★★

    Posts:
    1,565
    Likes Received:
    2,144
    User's Time:
    10:26 AM
    I may be too paranoid, but I never trusted Cloud Flare. Yes it does work. But, what or who is really behind them... They appeared out of nowhere (almost). With advanced infrastructure. And tons of IPs (even though the lack of IPv4 addresses problem was already serious at that time).
     

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
NameWorth
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...