Let's Encrypt Becomes Linux Foundation Collaborative Project

The Linux Foundation has a track record in helping build open-source communities around projects like Let's Encrypt, which aims to make Internet use more secure.

The Let's Encrypt initiative today announced that it is becoming a Linux Foundation Collaborative Project. The Linux Foundation is well-known as the home of Linux development, but it has also expanded in recent years to host multiple open-source collaborative efforts, including the Xen hypervisor, OpenDaylight software-defined networking and Dronecode projects.

Secure Socket Layer/Transport Layer Security (SSL/TLS) is a critical component of modern Internet security, but it's not always as easy to deploy as it should or could be. That's where the Let's Encrypt effort is aiming to help—to make it easier to encrypt, by providing users with freely available SSL/TLS certificates, backed by a certificate authority (CA).

Let's Encrypt was first announced in November 2014. The effort includes the participation of Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan, joined with the Internet Security Research Group (ISRG).

As to why Let's Encrypt decided to become a Linux Foundation-backed effort, Josh Aas, ISRG executive director, explained that the Linux Foundation has a track record in helping build open-source communities around important projects. He added that the Linux Foundation provides a number of ancillary services to let developers focus on development

"Our collaboration will allow the folks working on Let's Encrypt to focus on its service while the Linux Foundation provides organizational management," Aas told eWEEK.
A core part of the Let's Encrypt effort is the creation of a new CA that will be trusted by both users and browsers. In the SSL/TLS system, any user can simply choose to self-sign a digital certificate, though self-signed certificates provide no integrity or ownership assurance. Self-signed certificates will also trigger browser alert warnings and are generally untrusted by default in modern Web browsers. 

When a CA issues and signs an SSL/TLS certificate, the certificate is validated by the CA and trusted by all browsers that accept the CA in their root chain of trust.

"The group is hard at work building the CA, aiming for general availability around midyear," Aas said. "Most of the work relates to getting physical infrastructure in place, software development and policy development."

As a free CA, Let's Encrypt potentially represents a risk to the existing CAs, which are not free and have commercial models in place to sell SSL/TLS certificates. Aas emphasized that the Let's Encrypt project would like to work with existing CAs, not against them.

"We talk with other CAs on a regular basis, and many share our enthusiasm for increasing TLS usage and improving the CA system in general," Aas said. "We look forward to continuing to work with other CAs, and we'll be joining the CA/Browser Forum as soon as we're able."

The CA Browser Forum (CAB) is one of the leading organizations for CAs.

In recent weeks, the issue of SSL/TLS certificate mis-issuance has once again made the news. On March 23, Google reported that the China Internet Network Information Center (CNNIC) CA had improperly issued Google SSL/TLS certificates. Security of the certificate issuance process is top-of-mind for Let's Encrypt.

"On a technical level, we're working hard to meet or exceed best practices when it comes to security," Aas said. "On a policy level, we're putting a lot of effort into developing issuance policies that make sense, and we intend to follow those policies carefully.