On Thu, 14 Mar 2019 09:51:14 -0400 Phil Turmel via dovecot <dovecot@dovecot.org> wrote:
On 3/14/19 7:40 AM, Stephan von Krawczynski via dovecot wrote:
Sorry I have to write this, but this is again pointing people in a fake security direction.
You should be sorry, because you are wrong.
The only valid authority for a certificate is the party using it. Any third party with unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_.
Certificate authorities, including Let's Encrypt, operate on Certificate Signing Requests, not Private Keys. Some CAs do offer private key generation in their services for the user's convenience, but it is not recommended (obviously) and in no way required. Getting a CA to sign a CSR in no way exposes keys to that CA, and therefore not to any government.
While there are weakness in the CA trust system, they aren't anything related to replacing a snakeoil cert with one from Let's Encrypt.
[rest of ignorant rant trimmed]
Some facts for you, as obviously you have not understood what a CA is worth that is compromised by either hackers or "authorities". If you want to know more, read articles about closing of CA DigiNotar, like: https://en.wikipedia.org/wiki/DigiNotar
Then read US export laws concerning security devices. Then judge your US-issued certs...
Phil
-- MfG, Stephan von Krawczynski
ith Kommunikationstechnik GmbH