Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.
Uh, no it could not.
First of all, the whole point of signing software is to ensure it comes from a reputable source. Let’s Encrypt signs certificates with an automated process that does no verification whatsoever of the identity of the person asking for a certificate. It would make the whole process completely pointless.
Second, Let’s Encrypt has stated themselves over a decade ago that they have no intention of doing this because it would render the whole system pointless.
The point of signing software is to ensure the software was not tampered from the publisher. Linux package managers solve this by comparing a gpg key from the publisher with the software’s. There is no need for a corporate giant to “vet” software.
Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.
Or tarnish its name associating it with malware and bad actors, who knows?
Uh, no it could not.
First of all, the whole point of signing software is to ensure it comes from a reputable source. Let’s Encrypt signs certificates with an automated process that does no verification whatsoever of the identity of the person asking for a certificate. It would make the whole process completely pointless.
Second, Let’s Encrypt has stated themselves over a decade ago that they have no intention of doing this because it would render the whole system pointless.
The point of signing software is to ensure the software was not tampered from the publisher. Linux package managers solve this by comparing a gpg key from the publisher with the software’s. There is no need for a corporate giant to “vet” software.