A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.
The new CA will be called Let's Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.
The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol -- the more secure successor of SSL (Secure Sockets Layer) -- said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.
The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.
The goal is to make getting a certificate as easy as possible, because that's currently the hardest part of turning on TLS, Aas said. With the new CA "there will be no billing interaction, no need to create an account. You don't really need to know much at all except that you want to turn on TLS."
The software used by the CA, as well as the client applications that will help users configure TLS certificates on Web servers like Apache, Nginx and Microsoft IIS, will be open source. The CA plans to operate in a transparent manner, with the certificate issuance and revocation records available to anyone who wishes to inspect them, Aas said.
Some demo software will be made available Tuesday, so that people can start providing feedback. A draft specification for the API (application programming interface) protocol that automates certificate issuance and renewal will also be published today and soon it will be submitted to the Internet Engineering Task Force (IETF) for consideration as an open standard, according to Aas.
Let's Encrypt will go through the same audit processes as other CAs and will follow the CA/Browser Forum's baseline requirements for the issuance and management of digital certificates.
ISRG will apply to have the CA's root certificate accepted into all major root programs like the ones run by Mozilla and Microsoft, so that Web browsers and other software clients will trust certificates issued by the new CA by default. However, this process can take between one and three years, so in the meantime the Let's Encrypt root certificates will be cross-signed by IdenTrust, a company that already runs a trusted CA and is one of the project's primary sponsors, Aas said.
This will ensure that Let's Encrypt can start issuing certificates that will be trusted by most applications as soon the CA becomes operational early next summer.
Sign up for Computerworld eNewsletters.