Selling Epik and #1 SSL CA Sectigo (formerly Comodo SSL) partner. DNEncrypt to be Intermediate CA.

[INFJ]

Great news everyone!

Yesterday, Epik entered into a 2 year operating agreement with SSL market leader Sectigo (formerly Comodo SSL) to become an intermediate certificate authority to issue SSL certificates across all brands of Epik Holdings, Inc.

This will allow all sites in the SSL lander network to be equipped with Domain Validated (DV), Extended Validated (EV) or Organization Validated (OV) certificates instead of the current LetsEncrypt certificates.

This is important because we don't know for how much longer LetEncrypt will allow the creation of bulk SSL certificates to produce SSLs for free at will, even for organizations with lots of IPv4's as we have.

We also don't know whether major search engines will start to view LetsEncrypt certificates as being less compelling as an authority signal versus a paid cert.

More announcements coming, but for now, this give us a 2 year window to become a full Root CA while delivering on the vision for DNEncrypt as an alternative to LetsEncrypt.

Please let me know if you have any questions.

Tin Nguyen

@Rob Monster

 

[Randolph]

Yes, did that and also went to the CA SOS site, which includes some periodic updates. What you found there is a cover sheet with a single paragraph amendment. The full Articles of Incorporation or Bylaws of the Corporation seem extremely hard to find on any public site, which is interesting since they are incorporated as a California Public Benefit Corporation.

On the California SOS website, you get only this:

Show attachment 136913

I am no expert on Public Benefit Corporations, but I believe they are required to file some additional disclosures including Public Benefit Reports.

It is super-cool that they have issued more than 800 million SSLs:

Show attachment 136914

Question is: Cui bono?

The cover and attachment Item 2b (unique to "public" purpose companies) were the only documents required for filing.

Articles of Incorporation are required to be public, while Bylaws are not. Many companies choose to publicly display them for transparency, as they should.

Bylaws are created by the founder at time of conception and can be tough to find as they don't always display or label them — I believe the following was meant to be ISRG's "bylaws" or at least satisfies the definition:
https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html

Either way, you are correct that transparency is lacking and no one should have to dig through archives much less head to, mail, or call 1 Letterman Drive.

Hope this helps. I'm sure you're aware of most of this, just helping teach the cohort.

 

[Rob Monster]

The cover and attachment Item 2b (unique to "public" purpose companies) were the only documents required for filing.

Articles of Incorporation are required to be public, while Bylaws are not. Many companies choose to publicly display them for transparency, as they should.

Bylaws are created by the founder at time of conception and can be tough to find as they don't always display or label them — I believe the following was meant to be ISRG's "bylaws" or at least satisfies the definition:
https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html

Either way, you are correct that transparency is lacking and no one should have to dig through archives much less head to, mail, or call 1 Letterman Drive.

Hope this helps. I'm sure you're aware of most of this, just helping teach the cohort.

Thanks Randolph.

The main thing I am trying to understand is the mechanism for voting control and in particular for the mechanism for triggering and approving a change of control event.

The scenarios that I would be vigilant against would be things like these, ranked in order of severity:

- Sudden change of policy around non-issuance of (free) certs based on black box policy.

- Undisclosed change of policy on who has access to which keys.

- Sudden change of control.

LetsEncrypt has clearly done something innovative, as did CloudFlare. The question is whether that is entirely benevolent, or whether there is a hidden agenda.

For example, we know that Facebook was backed by In-"Q"-Tel, a known VC front for a 3 letter agency that I won't name. It is free, but you pay by willingly self-profiling yourself and your social graph. Handy!

It is odd that a Public Benefit Corporation issuing 800 million SSLs with some of the highest encryption around, has governance cloaked in secrecy.

The topic is a familiar one for me because I see the same nonsense with WIPO and RDAP where "law enforcement", defined as "authorized individuals" to have the ad hoc right to pierce the privacy veil,

Sure, I might be reading too much Orwellian Animal Farm into the narrative, but I prefer to err on the side of caution, protecting clients, while using discernment as to who to serve or not serve.

 

[Ostrados]

a question that might be offtopic is free SSL (such as LetEncrypt) less secure than paid SSL?

For my main website (not related to domaining) I use Godaddy SSL I pay around $70 per year, if it is no better than free SSL then I might switch to a free one.

 

[Ostrados]

@Tin Nguyen summed it up nicely.

In short, judging by what you're paying you probably just have a DV SSL. Paying GoDaddy $70 is throwing money down the drain.

Get a cheaper solution or use Letsencrypt. Ask your host. If you're using one of the regular panels (Cpanel/DA) there should be an option to secure your website with a free SSL in the panel.

Actually is is super easy to do it yourself I applied free LetsEncrypt to one of my websites using Linux commands, but for may main website with traffic I am hesitated to do so and I feel more secure using Godaddy paid one.

 

[Ostrados]

Yeah, if you now your way around the CLI its very easy to setup. Do you use a panel as well or pure CLI?

No I don't use cPanel I just use Linux command line (I use VPS not shared hosting).

 

[Furquan]

a question that might be offtopic is free SSL (such as LetEncrypt) less secure than paid SSL?

For my main website (not related to domaining) I use Godaddy SSL I pay around $70 per year, if it is no better than free SSL then I might switch to a free one.

Let'sEncrypt only provide DV certificate which is not good for site who deal in selling, where the customer uses a credit card to purchase. Where the customer requires to input their data. Here is a good post on a different type of SSL and why it's important to choose OV ssl instead of DV.

https://www.leaderssl.com/articles/236-the-difference-between-dv-and-ov-certificates

 

[branding]

My point is DV certificate is good if you have a simple website where you just blog. But do you think you will use DV certificate on your online store? I will definitely not use DV for that type of my website. There are still tons of people who don't use Letsencrypt for that reason and paying a hefty amount to other companies who provide OV and EV SSL.

DNEncrypt will play a big role in the coming days as people want some trusted player who offers OV and EV SSL at a reasonable price.

From a security point of view there's no reason why you shouldn't 'just' use a DV cert. I use only one EV cert and thats not even for a store.

OV/EV certs are about trust, not security. It's just the notion of trust. It's easy and cheap to set up some limited and obtain an OV. EVs are a bit better as they check you have been in business for a certain amount of time (3 years?) I think. They can be worth the cash.

Still, processing sensitive data is just as secure as using a DV cert. That being said, you don't know if the backend is secure. If a website is secured by a cert, who says the underlying backend, database or whatever is processing your data is doing it in an ecrypted form?

Thats the big issue with people using cloudflare to wrap SSL around their site. In a lot of cases there is no end-to-end encryption leaving a lot of room for MITM attacks. The data gets endcypted/decrypted when talking to the origin servers... not a good thing. Lots of people using it have no way to use Full(strict) SSL, lack the knowledge or cannot be bothered to.

Thats where I think DNE could actually make a difference as from what I understand the full chain, end-to-end, will be encrypted.

For people who don't trust DV certs, I'd suggest to be carefull on NP as well as look... a DV certificate

 

[INFJ]

DNEncrypt's CA is on pace to go live soon! We'd appreciate your feedback on our logo selection. I personally, like A1, but what do you guys think? Please let us know if you'd like to see more concepts, or different color schemes, icon, etc. Thanks!

 

[tonyk2000]

Is it just me or A1 looks like NameSilo logo color scheme? And, in all cases, DNE is like something separate: DNE+ncrypt. Yeah it is the domain structure, but it should be possible to eliminate this effect in logo

 

[branding]

It is what is but a very Good points @NameDeck
btw. Sectigo logo / symbol contains C [upper part] (for Comodo) , followed by cut off D (secureD), forming a free style Letter S. (Comodo)secureD by Sectigo

Regards

yeah I think I read something along those lines about their rebranding but did't bother to bookmark for some reason . It's a nice touch and I like that they were able to maintain a link to their past in the symbol and give it meaning.

It caught my eye as at the time, just before they rebranded, I abandoned a proposal with a very similar name and somewhat related niche (but more like wesite security audits).

 

[Lox]

lol, if it wasn't for the holiday season I would play ball

 

[branding]

@Rob Monster

As always, thank you for your elaborate respons.

Regarding DNEncrypt, I agree. It is what it is. Projects evolve continuesly and It's nice to see it taking shape through an organic process. I didn't realise the certification went live already, congrats. As for branding etc, a great product sells itself, everything else is dressup and the possibility of a rebrand sometimes actually works as it can give you extra press exposure in the future .

I think you know my stance on Letsencrypt. It's a good thing more people are starting to look into the downside of using Letsencrypt, I 100% agree. All major çompanies (or foundations for that matter) that hold a 'monopoly' in a certain area should be watched closely. That TOS issue is somewhat problematic (could be more transparant). For people who are interested, spend some time reading their repository. Most you'll want to know is there.

As for the obvious case of a domain that breaks the law, I believe our policy should be simply to block those domains from being able to use the SSL issuance service. We'll see how that goes.

The SSL/TLS area is pretty fascinating. I am glad we initiated exploratory work in this area of the internet delivery value chain. There might be more here than I expected to find.

Interesting concept. Do you know if this is done so already by other CAs? I'm pretty sure non secure conncections will be blocked by a lot of services in the near future. It will most definitely work.

However, one of my concerns is that eventyally this will lower the bar for issuers to silence free speech at their sole discretion. Not sure how I feel about it yet but worth it to explore. Fascinating indeed!

 

[branding]

The legal entity DNEncrypt, Inc is formed. The intermediate root certificate order has been submitted. That approval process apparently takes weeks.

The Subca is for both RSA and ECC as follows:

DNEncrypt SHA2 Domain Secure Site CA - DV

DNEncrypt SHA2 Business Secure Site CA - OV

DNEncrypt SHA2 Extended Validation Secure Site CA - EV

DNEncrypt ECC Domain Secure Site CA - DV

DNEncrypt ECC Business Secure Site CA - OV

DNEncrypt ECC Extended Validation Secure Site CA - EV

A rebrand would cost quite a bit at this point so we'll proceed with the name and tinker around the aesthetic edges while focusing on the user experience for single cert and bulk API provisioning.

The nitty-gritty of who has access to the private key will be managed by trusted security engineers whose identities will be known to me but will not be openly discussed in forums. I won't have access to it.

The free version will be 90 day certs. The paid versions will be up to 2 years. I expect we'll introduce a Forever option where we manage the re-issuance process.

Sweet, looking good. Good call on not disclosing engineers etc for security. Thanks for the quick update. There's too much Epik projects being worked on to notice every update.

Keep the fire burning

 

[Rob Monster]

So, how much for a normal 2-years dnencrypt domain validated cert.? Just one domain. And, another option - wildcard.

We are still reviewing pricing but will be very competitive. When retail customers come to get the free cert, the paid options will be presented alongside. The UX is under development in parallel to the API. It is a significant project -- a bit bigger than planned but I believe a worthy one. Our intermediate root CA should be cut before year-end, at which point we can start issuing certs to replace LetsEncrypt. @Tin Nguyen and @Ala Dadan should have a preview of the site to share shortly. We have a few more surprises in store.

 

[INFJ]

@pereceh

Thanks for your comment. We're currently looking into Standard DV wildcards, meantime working on the most competitive pricing in the industry. Stay tuned.

 

[equity78]

It's funny someone disliked if you made an official press release @Rob

There is no formal press release yet however, I can confirm that the agreement was executed on Friday. The legal entity DNEncrypt, Inc was filed with WA SOS on Friday. Tin advised on the deal with Sectigo.

Oh ok I just asked because I would have written about it, apparently one of your supporters didn't like that.

 

[branding]

So, free-for-all ssls are, honestly, one big nonsense. Imho. They serve no purpose. Except that the browsers with their default settings are checking validity of each and every ssl each time the "secure" website is loaded. So, somebody has access to all (ssl-protected) website names visited by each particular individual. What a surveillance klondike for the orwellian society. Sorry if offtopic, but hope it is OK - still Epik related

That's a misconception of what SSL/TLS is about. It's about encrypted connections/data. Not about trust of a website.

I think every website should use it this day and age. There's no technical or monetary reason not to do it.

 

[branding]

BitMitigate is an emerging alternative to "free" CloudFlare, and with no hidden agenda.

Unfortunately just when it's emerging they dropped the free tier?

 

[JB Lions]

-wrong thread-

 

[Ostrados]

@Tin Nguyen thanks for the answer, I think I have DV, I am not sure if customers distinguish between DV, OV or EV. Regarding the green bar I noticed that it is not shown in Chrome which is strange to be honest! while in Firefox it is shown. So again how can and end user using Chrome distinguish?

I start thinking maybe paid SSL is waste of money after all, unless there is some technical reason otherwise, I remember that I read somewhere that free SSL is self signed certificate, while paid SSL is signed by certificate issuer (ec: Godaddy) maybe that is big plus for security?

thanks

 

[branding]

@Tin Nguyen thanks for the answer, I think I have DV, I am not sure if customers distinguish between DV, OV or EV. Regarding the green bar I noticed that it is not shown in Chrome which is strange to be honest! while in Firefox it is shown. So again how can and end user using Chrome distinguish?

I start thinking maybe paid SSL is waste of money after all, unless there is some technical reason otherwise, I remember that I read somewhere that free SSL is self signed certificate, while paid SSL is signed by certificate issuer (ec: Godaddy) maybe that is big plus for security?

thanks

Chrome changed it from being a green padlock as they will start blocking not secure websites entirely.

You will notice a grey padlock though. Free SSL isn't self signed so there are no trust issues for browsers and your connection will be encrypted to the same level as when using any other Cert.

 

[branding]

Actually is is super easy to do it yourself I applied free LetsEncrypt to one of my websites using Linux commands, but for may main website with traffic I am hesitated to do so and I feel more secure using Godaddy paid one.

Yeah, if you now your way around the CLI its very easy to setup. Do you use a panel as well or pure CLI?

 

[branding]

Let'sEncrypt only provide DV certificate which is not good for site who deal in selling, where the customer uses a credit card to purchase. Where the customer requires to input their data. Here is a good post on a different type of SSL and why it's important to choose OV ssl instead of DV.

https://www.leaderssl.com/articles/236-the-difference-between-dv-and-ov-certificates

That article is one hot mess by a company trying to upsell their certificates.

There are valid reasons to use OV/EC certs but security definitely isn't one of them.

 

[Lox]

When it comes to vulnerability ... nothing Is scarier

 

[tonyk2000]

The legal entity DNEncrypt, Inc is formed.

So, how much for a normal 2-years dnencrypt domain validated cert.? Just one domain. And, another option - wildcard.