Epik and #1 SSL CA Sectigo (formerly Comodo SSL) partner. DNEncrypt to be Intermediate CA.

Great news everyone!

Yesterday, Epik entered into a 2 year operating agreement with SSL market leader Sectigo (formerly Comodo SSL) to become an intermediate certificate authority to issue SSL certificates across all brands of Epik Holdings, Inc.

This will allow all sites in the SSL lander network to be equipped with Domain Validated (DV), Extended Validated (EV) or Organization Validated (OV) certificates instead of the current LetsEncrypt certificates.

This is important because we don't know for how much longer LetEncrypt will allow the creation of bulk SSL certificates to produce SSLs for free at will, even for organizations with lots of IPv4's as we have.

We also don't know whether major search engines will start to view LetsEncrypt certificates as being less compelling as an authority signal versus a paid cert.

More announcements coming, but for now, this give us a 2 year window to become a full Root CA while delivering on the vision for DNEncrypt as an alternative to LetsEncrypt.

Please let me know if you have any questions.

Tin Nguyen

@Rob Monster

 

Google is a major backer of LetsEncrypt.

 

@Rob Monster is there any formal press release?

 

LetsEncrypt isn't going anywhere, and its free. All of my hosting customers (windows and linux) use them.

 

There is no formal press release yet however, I can confirm that the agreement was executed on Friday. The legal entity DNEncrypt, Inc was filed with WA SOS on Friday. Tin advised on the deal with Sectigo.

 

It's funny someone disliked if you made an official press release @Rob

Oh ok I just asked because I would have written about it, apparently one of your supporters didn't like that.

 

I think Samer might have misread your comment. There was not anything in your comment to dislike.

As for your question, it is fine to write about it. I would probably write about in the context of the broader ecosystem of products that is unfolding to deliver a more resilient and decentralized internet.

This was hinted at here:

https://www.namepros.com/threads/hi...ct-managers-and-executive-leadership.1162639/

Some important pieces are falling into place. I believe we are now the only company in the world that has assembled the full stack:

- Registry management
- Registrar
- Hosting
- SSL Certificate Authority
- Content Delivery Network
- Denial of Service Mitigator
- IPv4 and IPv6 owner (RIPE member)
- BGP and ASN operator
- VPN provider

The SSL project completes the stack. We can deliver end to end encryption to the edge of the network.

The last big foundation piece we are working on is the so-called Toki server. Here is a very rough demo:

https://us.tv/videos/watch/970e088e-758d-40cc-b56a-45dee8614a0f

It is a $50 server running a proprietary Linux distro that can provide ~500 people with an Internet connection and can run up to 24 hours on a $20 battery for a server that is a little bigger than a deck of cards.

 

For more context on why it is interesting to be pursuing projects that increase resiliency in the full Internet stack while decentralizing more functionality, this is a decent read:

https://spectrum.ieee.org/tech-talk...rnet-censorship-hangs-over-hong-kong-protests

There are a lot of of innovative projects happening to increase resiliency. The Epik approach preserves the domain name as being the addressing system versus Blockchain that sends domains to the scrap heap.

 

(quote begin)

To increase trust in the application of PKI technology, the CA/Browser Forum has mandated that a CA, in order to issue Publicly-Trusted Certificates, obtain an audit report under a qualified audit scheme performed by a qualified auditor.

In order to issue SSL certificates, most CAs will need to complete an approved independent third-party audit. There are three alternatives. The first is an audit against WebTrust for Certification Authorities criteria, issued by the WebTrust for Certification Authorities Task Force-a joint task force of the American Institute of Certified Public Accountants and the Chartered Professional Accountants of Canada (CPA Canada). Specifically, WebTrust for Certification Authorities and WebTrust for Certification Authorities – SSL Baseline Requirements Audit Criteria have been developed to meet the CA/Browser Forums Baseline SSL Requirements.

Another alternative for an independent third-party audit is an audit that conforms to ETSI EN 319 411-1 or ETSI EN 319 411-2. These standards are published by the European Telecommunications Standards Institute (ETSI).

Also available, but rarely used is an audit that conforms to ISO 21188:2006

(quote end)

Source: CA/Browser Forum

I belive the above is applicable (and originally intended) to those Certification Authorities who issue Extended Validation (EV) Certificates to begin with, and/or to Root CAs (I may be mistaken here).

Even though the requirements for Intermediate CAs (Epik/DNEncrypt case) may not be that strict from practical point of view, may I ask was Epik/DNEncrypt audited, and, if so, by whom and what is an outcome of said audit ("official" signed document, is it published, can we read it)?

 

Congrats. That's quite the accomplishment.

Just wondering why you think let's encrypt is going away at some point? It's more popular than ever and last time I checked there are no signals suggesting they will stop being free.

On the contrary, they have actually been implementing more features (wildcards etc). I get Epik an subsidiaries want to be sovereign but this comes across a bit negative about let's encrypt. They are actually a major game changer when it comes to SSL.

 

Hi @NameDeck,

Thanks for your comment and input. To clarify, we do not believe LetsEncrypt is going away and I agree that they're only gaining in popularity and sponsors, rather Epik's reliance on LetsEncrypt is being phased out.

@tonyk2000

Thank you for the information and input. Our Sub-CA (Intermediate) technically belongs to Sectigo (formerly Comodo SSL) and as such, Sectigo needs to meet the strict standards and audit requirements. Sectigo is WebTrust certified, and in order to maintain compliance, they are required to undergo a program of continuous scrutiny with formal reviews at least once every 6 (six) months.

 

In case not aware, LetsEncrypt throttles production. Right now, that throttle is a relatively generous 300 SSLs every 3 hours for every unique IP for a maximum length of 90 days. This is described in the published rate limits for the ACME API and are subject to change:

https://letsencrypt.org/docs/rate-limits/

Now, with a /22 IPv4 you get 1022 usable IPs. So, theoretically someone with a /22 could produce more than 2 million unique SSLs per day. Now, let's suppose a bunch of clever folks decided to do that for domains and subdomains, pretty soon you would have a crap load of free SSLs out there and all of a sudden LetsEncrypt is the market leader in SSL/TLS. It has probably already been done with subdomains.

Officially, in market share reports, I don't see LetsEncrypt being counted as reports show Sectigo as the overwhelming market leader My sense is that what Sectigo sees in this partnership is allowing free 90-day certs to be issued makes a clear path to upgrading to higher end certs as the digital brands transition from landers to sites. This is a classic "Point of entry" strategy for Sectigo. DNEncrypt can help there. Win-win.

Right now, LetsEncrypt allows anyone to issue certs. There is basically zero vetting or curating. Why should browsers trust it when it puts thugs and crooks are on the same level as honorable site operators? At some point, LE can systematically begin banning domains. Who decides? Not sure. If national governments can turn off the internet, can those governments pressure LE to block certs for those countries? Possibly.

There is a good discussion here:

https://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html

Governance is also a really important question. If .ORG can be acquired by Ethos, I think safe to say that in the digital theater anything can happen just as Oracle bought MySQL.

Specific to Change of Control, from what I can tell, it is extremely hard to find a copy of the articles of incorporation for the parent entity. I will pay $100 in Epik account credit to the first person who can find a copy of their Articles of Incorporation for Internet Security Research Group. As near as I can gather, you may have to go visit them at 1 Letterman Drive in San Francisco to get it! Transparency anyone?

The final notable thing that our engineers recognized is that there will be some important challenges in the network architecture for Toki servers going forward where we might have a very large number of decentralized Toki servers, e.g. 1 million Toki servers in a few years from now. Each one has to maintain end-to-end encryption with no risk of man in the middle attacks, even if no VPN is installed on the client.

As you can see, there is some logic to why we felt it wise to vertically integrate this competency in order to complete the stack. This arrangement gives us 2 year window to do it well, while navigating the decision on how to become a Root CA. I am happy with it and think Sectigo is too.

 

For anyone interested, here is a good primer on TLS by Eric Rescorla, co-founder of LetsEncrypt:



Since he talks fast, some people seem to like the idea of watching it at 0.75X.

 

Great job, Tin. This is big.

I don't believe LetsEncrypt will ever lose it's validity but Epik's use case certainly warrants this. Frankly, the industry needs more CAs.

All Articles are public record and can be found by searching Google for "_state_ business entity database". They will not always list them by name, you will see a list of business documents, select the oldest date and it should be their Articles.

ARTS-PB, Internet Security Research Group
https://businesssearch.sos.ca.gov/Document/RetrievePDF?Id=03569614-16391090

 

Cool, that's a good move Epik

 

Yes, did that and also went to the CA SOS site, which includes some periodic updates. What you found there is a cover sheet with a single paragraph amendment. The full Articles of Incorporation or Bylaws of the Corporation seem extremely hard to find on any public site, which is interesting since they are incorporated as a California Public Benefit Corporation.

On the California SOS website, you get only this:



I am no expert on Public Benefit Corporations, but I believe they are required to file some additional disclosures including Public Benefit Reports.

It is super-cool that they have issued more than 800 million SSLs:



Question is: Cui bono?

 

Cui bono? If *they* really wanted to have all the internet secured with ssl/tls, the most logical way would be to "whitelist" self-signed certificates. Instead of showing a bunch of red warnings for self-signed ssls... and instead of starting this letsencrypt project. Anybody can obtain domain validated ssl for almost any domain using letsencrypt or cpanel-powered instant sectigo cert, which is also free and 3 months long. It proves that the requester owns the domain name (or has technical control). So does self-signed certificate (one should be able to point the domain to a server in order to run a website with a self-signed certificate). Real encryption is the same. The only practical difference is that it is still not easy to run a clone of lets say paypal.com with self-signed cert. locally (and somehow hack dns of the nearest public wifi hotspot to send paypal visitors to a clone). But such a difference is caused by extended validation (paid) ssls if we think about it...

So, free-for-all ssls are, honestly, one big nonsense. Imho. They serve no purpose. Except that the browsers with their default settings are checking validity of each and every ssl each time the "secure" website is loaded. So, somebody has access to all (ssl-protected) website names visited by each particular individual. What a surveillance klondike for the orwellian society. Sorry if offtopic, but hope it is OK - still Epik related

 

So how is this a bad thing? I know for your usecase you'd like to be as independent as you can possibly get but how would using Sectigo be any different? If I'm not mistaking they can be concidered the marketleader so wouldn't that leave you vulnarable to the same thing? Also, they're owned by an equity firm so... don't need to explain my concerns about that.

As for ratelimiting, its's even worse actually. You can use it with ipv6 so the number of ips you can use to request certs from are 'limitless'.

Do I understand correctly that you think that sectigo expect that people will upgrade their DV certs used for landers to EV certs lateron? Or is that your projection? I think that's the only part where DNEncrypt could make a real difference. Affordable/free EV certificates. Integration for Toki is cool though. I love that project.

But, how is allowing anyone to generate a cert a bad thing? Its the encryption that matters and they are audited by Webtrust just the same, following set industry standards. I wouldn't say theres no vetting or curating.

I don't buy into that article you linked. It's all whatif/then/else/or... hearsay. The same 'security issues' can be attributed to any CA.

I think this is where the real win is for you. To be clear, I'm not trying to attack you but merely engaged as the content of the post from OP doesn't do justice to the huge accomplishment of LetsEncrypt.

Now what I'm really curious about is will you be looking into offering affordable/free EV certs? I think that could disrupt the market even more and be a real gamechanger. Securitywise.

 

Thanks Tony.

When it comes to free anything with no apparent strings attached, some healthy skepticism seems appropriate. I have not done a deep dive on the governance of LetsEncrypt, but I like the idea of there being alternatives, just as BitMitigate is an emerging alternative to "free" CloudFlare, and with no hidden agenda.

So, I think your comment is not off-topic at all. That being said, what is a "Surveillance klondike"?



Is that like a "Covfefe" or did you invent a new expression that is begging an explanation so the rest of us can keep up with that sharp intellect of yours?

 

That's a misconception of what SSL/TLS is about. It's about encrypted connections/data. Not about trust of a website.

I think every website should use it this day and age. There's no technical or monetary reason not to do it.

 

Unfortunately just when it's emerging they dropped the free tier?

 

Not covfefe. Sorry, I'm not thinking in English It seems I translated the phrase wrong. I simply meant the The Klondike Gold Rush - Canada, between years 1896 and 1900, gold "fever" or whatever was it called. And added it as adjective implying "golden, perfect, great" with the "Surveillance" noun.

 

By the way, does Epik *acting as CA* have plans to offer normal paid 1-2 years ssl certs for external domains, not necessary for sale domains or Epik-regged domains? Pricing? The best I found so far are from NameCheap and from their ssls.com brand (cheaper).

 

If you mean CloudFlare, they still have a free plan but you share a SSL certificate with ~50 total strangers. That does not seem like a genius move to me but for each his own.

If you mean BitMitigate, we do have free BitMitigate bundled with products like SSL landers, and cPanel hosting. It is tightly bundled in the Resilient Domain service.

The revenue model of BitMitigate is self-sustaining. If you use a free CDN/DDoS service, then you have to ask again Cui Bono? I am pretty sure you know that CloudFlare started out as "Project Honeypot".

Do a Toki search: https://toki.com/?q=cloudflare project honeypot

You find gems like this: https://www.projecthoneypot.org/about_us.php

 

I may be too paranoid, but I never trusted Cloud Flare. Yes it does work. But, what or who is really behind them... They appeared out of nowhere (almost). With advanced infrastructure. And tons of IPs (even though the lack of IPv4 addresses problem was already serious at that time).