Let’s Encrypt通配符证书将于1月4日公开测试,2月27日正式上线
介绍:
展望2018年
服务增长
我们计划将我们在2018年服务的有效证书和独特域名的数量分别增加到9000万和1.2亿。这一预期的增长是由于对2018年HTTPS总体增长的高预期。
让我们加密通过提供一个免费的,易于使用的和全球可用的选项来获取启用HTTPS所需的证书,有助于推动HTTPS的采用。在Let’s Encrypt发布之日起,Web上的HTTPS采用以前所未有的速度起飞。
让我们加密非常容易使用的原因之一是我们的社区已经做了很好的工作,使得客户端软件适用于各种各样的平台。我们要感谢参与开发Let’s Encrypt超过60个客户端软件的每个人。我们特别兴奋的是,支持ACME协议和Let’s Encrypt 被添加到Apache httpd服务器。
其他组织和社区也在推广HTTPS采用方面做了很多工作,从而刺激了对我们服务的需求。例如,浏览器开始让用户更加意识到与未加密的HTTP(例如Firefox,Chrome)相关的风险。许多托管提供商和CDN正在使所有客户都比以前更容易使用HTTPS。政府机构正在意识到需要加强安全措施来保护三方成员。媒体界正在努力保护新闻。
新功能
我们计划了2018年的一些令人兴奋的功能。
首先,我们计划引入ACME v2协议API端点并支持通配符证书。通配符证书将像我们的其他证书一样在全球免费提供。我们计划在1月4日之前建立一个公开的测试API端点,并且我们已经设定了全面发布的日期:2月27日星期二。
在2018年晚些时候,我们计划引入ECDSA根证书和中间证书。ECDSA通常被认为是Web上数字签名算法的未来,因为它比RSA更有效率。我们的加密将从订户签署ECDSA密钥,但是我们使用我们的一个中间证书签署了RSA密钥。一旦我们拥有了ECDSA根和中介,我们的用户将能够部署完全是ECDSA的证书链。
基础设施
我们的CA基础架构每天可以颁发数百万个证书,并具有多重冗余来保证稳定性和各种物理和逻辑安全防护。我们的基础架构每天还会产生和签署近2千万个OCSP响应,并且每天为这些响应提供近20亿次响应。我们预计发行和OCSP数字在2018年翻番。
我们的物理CA基础架构目前占用大约70个机架空间,分为两个数据中心,主要包括计算服务器,存储,HSM,交换机和防火墙。
当我们颁发更多的证书时,最重要的就是存储我们的数据库。我们定期投资更多,更快速的数据库服务器存储,并将在2018年继续。
我们需要在2018年增加一些额外的计算服务器,而且自从我们推出以来,我们也将在2018年首次开始老化硬件。我们会将10台2u计算服务器老化,并替换为新的1u服务器,这将节省空间并提高能效,同时提供更好的可靠性和性能。
我们还将增加另一名基础设施运营人员,将这个团队带到总共六人。这是必要的,以确保我们能够跟上需求,同时保持高标准的安全和合规性。基础架构操作人员是负责构建和维护所有物理和逻辑CA基础架构的系统管理员。该团队还管理24/7/365随时待命的时间表,他们是安全和合规审计的主要参与者。
财政
我们为成为一个有效率的组织感到自豪。2018年,Let’s Encrypt将以大约300万美元的预算保证大部分网站的安全。对于我们预算的整体增长只有13%,我们将能够发行和服务的证书数量是我们2017年的两倍。我们相信这是一个难以置信的价值,并且促成让我们加密是最有效的方法之一帮助创建一个更加安全和隐私的Web。
我们的2018年筹款活动在Mozilla,Akamai,OVH,思科,谷歌Chrome和电子前沿基金会的白金赞助下开创了一个良好的开端。福特基金会也重新授予Let’s Encrypt。我们正在寻求额外的赞助和补助,以满足我们2018年的全部需求。
我们原本预算2017年为291万美元,但今年我们可能会以265万美元左右的预算进入预算。我们2017年的265万美元开支与2018年的300万美元预算之间的差额主要包括前面提到的额外基础设施运营成本。
支持让我们加密
我们依靠来自我们的用户和支持者社区的贡献来提供我们的服务。如果您的公司或组织愿意赞助 Let’s Encrypt,请发送电子邮件至sponsor@letsencrypt.org。我们要求您在个人意愿范围内作出个人贡献。
我们感谢我们获得的行业和社区支持,我们期待着继续创建一个更安全,更尊重隐私的网络!
官方原文:
Service Growth
We are planning to double the number of active certificates and unique domains we service in 2018, to 90 million and 120 million, respectively. This anticipated growth is due to continuing high expectations for HTTPS growth in general in 2018.
Let’s Encrypt helps to drive HTTPS adoption by offering a free, easy to use, and globally available option for obtaining the certificates required to enable HTTPS. HTTPS adoption on the Web took off at an unprecedented rate from the day Let’s Encrypt launched to the public.
One of the reasons Let’s Encrypt is so easy to use is that our community has done great work making client software that works well for a wide variety of platforms. We’d like to thank everyone involved in the development of over 60 client software options for Let’s Encrypt. We’re particularly excited that support for the ACME protocol and Let’s Encrypt is being added to the Apache httpd server.
Other organizations and communities are also doing great work to promote HTTPS adoption, and thus stimulate demand for our services. For example, browsers are starting to make their users more aware of the risks associated with unencrypted HTTP (e.g. Firefox, Chrome). Many hosting providers and CDNs are making it easier than ever for all of their customers to use HTTPS. Government agencies are waking up to the need for stronger security to protect constituents. The media community is working to Secure the News.
New Features
We’ve got some exciting features planned for 2018.
First, we’re planning to introduce an ACME v2 protocol API endpoint and support for wildcard certificates along with it. Wildcard certificates will be free and available globally just like our other certificates. We are planning to have a public test API endpoint up by January 4, and we’ve set a date for the full launch: Tuesday, February 27.
Later in 2018 we plan to introduce ECDSA root and intermediate certificates. ECDSA is generally considered to be the future of digital signature algorithms on the Web due to the fact that it is more efficient than RSA. Let’s Encrypt will currently sign ECDSA keys from subscribers, but we sign with the RSA key from one of our intermediate certificates. Once we have an ECDSA root and intermediates, our subscribers will be able to deploy certificate chains which are entirely ECDSA.
Infrastructure
Our CA infrastructure is capable of issuing millions of certificates per day with multiple redundancy for stability and a wide variety of security safeguards, both physical and logical. Our infrastructure also generates and signs nearly 20 million OCSP responses daily, and serves those responses nearly 2 billion times per day. We expect issuance and OCSP numbers to double in 2018.
Our physical CA infrastructure currently occupies approximately 70 units of rack space, split between two datacenters, consisting primarily of compute servers, storage, HSMs, switches, and firewalls.
When we issue more certificates it puts the most stress on storage for our databases. We regularly invest in more and faster storage for our database servers, and that will continue in 2018.
We’ll need to add a few additional compute servers in 2018, and we’ll also start aging out hardware in 2018 for the first time since we launched. We’ll age out about ten 2u compute servers and replace them with new 1u servers, which will save space and be more energy efficient while providing better reliability and performance.
We’ll also add another infrastructure operations staff member, bringing that team to a total of six people. This is necessary in order to make sure we can keep up with demand while maintaining a high standard for security and compliance. Infrastructure operations staff are systems administrators responsible for building and maintaining all physical and logical CA infrastructure. The team also manages a 24/7/365 on-call schedule and they are primary participants in both security and compliance audits.
Finances
We pride ourselves on being an efficient organization. In 2018 Let’s Encrypt will secure a large portion of the Web with a budget of only $3.0M. For an overall increase in our budget of only 13%, we will be able to issue and service twice as many certificates as we did in 2017. We believe this represents an incredible value and that contributing to Let’s Encrypt is one of the most effective ways to help create a more secure and privacy-respecting Web.
Our 2018 fundraising efforts are off to a strong start with Platinum sponsorships from Mozilla, Akamai, OVH, Cisco, Google Chrome and the Electronic Frontier Foundation. The Ford Foundation has renewed their grant to Let’s Encrypt as well. We are seeking additional sponsorship and grant assistance to meet our full needs for 2018.
We had originally budgeted $2.91M for 2017 but we’ll likely come in under budget for the year at around $2.65M. The difference between our 2017 expenses of $2.65M and the 2018 budget of $3.0M consists primarily of the additional infrastructure operations costs previously mentioned.
Support Let’s Encrypt
We depend on contributions from our community of users and supporters in order to provide our services. If your company or organization would like to sponsor Let’s Encrypt please email us at sponsor@letsencrypt.org. We ask that you make an individual contribution if it is within your means.
We’re grateful for the industry and community support that we receive, and we look forward to continuing to create a more secure and privacy-respecting Web!
那你说
好