The non-profit CA launched by the EFF, Mozilla and several other businesses and organizations is determined to gain and retain users’ trust.
After hiring outside experts to conduct a security review of its software and the protocol it will use for automatic certificate issuance and management, the Let’s Encrypt CA has released its first transparency report.
This is the current situation:
The decision to release this report before they even started issuing end entity certificates (the first one is scheduled to be issued three weeks from now) was likely fueled by the fact that once an organization or company receives a National Security Letter from the US government, they can’t talk about it.
They are also not allowed to claim that they have not received any, or give an accurate number if they received more, but can only give a range (e.g. 0-999).
“ISRG [Internet Security Research Group, which runs the CA] provides a secure, open, and transparent service for the public’s benefit. As such, ISRG opposes the introduction of a back door, specialized law enforcement or government access, or any other deliberate weakness in Let’s Encrypt or any of our systems,” the CA stated.
“The trust of our users is ISRG’s most critical asset. Transparency regarding legal requests is an important part of making sure our users can trust us, and to that end we will be publishing reports twice annually.”
They obviously intend for the transparency report to serve as a “warrant canary”.
The Let’s Encrypt CA has been launched to help website administrators switch from from HTTP to HTTPS – a process that is often long and complex, and which Let’s Encrypt aims to make as simple and quick as clicking on a button and taking half a minute of the admins’ time.