Let's encrypt say they won't be issuing code signing certificates. Does anyone know why a domain cert cannot be used as a digital signature? After all, it's just a private key so what is to prevent it being used to code sign with the domain name the cert represents?
Well the difference is in the purpose field... And of course, money is involved! But really, the domain cert is implicitly tied by Let's Encrypt to the domain - you have proved your right to the cert by virtue of ownership of the domain and domain records. That situation does not apply to code signing, for which you do not need a domain at all I don't think. They tend to verify your individual or corporate identity and real-world addresses. I think that's better in the case of code signing - as a user, I do want to be able to have some form of proof of origin like that, which does not apply to domain ownership, I cannot necessarily find the signer. For obvious reasons, Let's Encrypt doesn't want to get into that kind of verification.
Yes I think you're right, they are probably the reasons but, I was thinking, if I download an app from an independent developer, for example, one called newtech.com, the code signer could be anyone, it could be, Willy Wonker for all I know, so his signature isnt going to assure me this is the original application from from newtech.com. On the other hand, if it was signed with newtech.com's TLS certificate the digital signature would match their domain certificate and I would know it is the correct unadulterated app from their site. So I was wondering, is it impossible to use a TLS cert for code signing or do we just lack an application to do it?
A company code certificate would, at the time of the application, need to be backed by evidence delivered by a third party (e.g. lawyer) to verify. What happens to it once issued, is of course an problem, and Willy Wonker could indeed be the signer. The suggestion of tying the application to the domain makes sense, if it's associated with the website - after all, with javascript enabled, we already do (ha!) trust the code they run on our computers. However, domain verification is much weaker than code signing verification. I think using a TLS cert for code would require development tools which didn't discriminate, but also cooperation from installers on the major operating systems. I don't think they would comply with that, for perhaps good reasons. The real problem being that code signing certs are way too expensive still.
I want to put lets encrypt and also ssl.com in my trusted certificate store because I dont have either of them but where do I get them from? I couldnt find any mention of this on lets encrypt website.
Three years later, Let’s Encrypt has issued over 380 million HTTPS certificates September 14, 2018 https://techcrunch.com/2018/09/14/three-years-later-lets-encrypt-now-secures-75-of-the-web/
Let's Encrypt gives admins until February 13 to switch off TLS-SNI January 22, 2019 https://www.theregister.co.uk/2019/...dmins_until_february_13_to_switch_off_tlssni/ Blog entry: February 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support
Certbot Leaves Beta with the Release of 1.0 December 5, 2019 https://www.eff.org/deeplinks/2019/12/certbot-leaves-beta-release-10
Let's Encrypt bolsters security against network attackers February 19, 2020 https://www.neowin.net/news/lets-encrypt-bolsters-security-against-network-attackers Let’s Encrypt: Multi-Perspective Validation Improves Domain Validation Security
