Wow. Let’s Encrypt has issued 62% of all active SSL certs in the wild, according to Censys. That’s awesome…but also worrisome? We obviously want all CAs to meet a high quality bar, but if any ecosystem needs healthy diversity, it’s this one, right?
I wonder what the appropriate next steps here would be, if any.
Logically I agree with you 100% but emotionally I’m still angry about the cert ecosystem crappiness pre-ACME so I’m going to delay my fear and logic for a few years and let LE enjoy their dominance. It’s a nice change.
There are already 3 or 4 free ACME CAs to choose from. It’s just that most people know about or choose Let’s Encrypt. Some ACME clients like @caddyserver default to multiple CAs for redundancy automatically.
I don’t really see the benefit of diversity when each CA is fully trusted for every domain. A bit of redundancy in case one goes down, but untrusting them isn’t a realistic option. What we really need is removing these unnecessary additional trusted parties from the picture.