tialaramex

For the "plot" Subnormality comics, do you have a long term plan, and we're just seeing that play out, very slowly, a handful of panels at a time? Or is it something you just write more of organically and you have no idea how it ends either ? Or am I talking nonsense and in your head every Subnormality panel is part of one single continuity that makes sense?

Validating OV sounds like it helps, until you think a bit harder about the problem. Setting up the organisation Bank of Arnerica and getting an OV certificate isn't even difficult, bad guys could do that too. Why don't they do that today? It doesn't matter enough to be worth it. But that's all.

Also, unlike checking the DNS name, which a browser can do automatically, the other pars of the DN (such as a company name) listed in OV or EV certificates aren't checked by anything at all. So Comodo Dragon is perfectly happy with bankofarnerica.example if it presents a certificate issued to Tepples Corp. a two week old corporation based at a PO Box in Ohio... no interstitial for that. But my own bank's auxiliary web sites, with their name and a valid DV certificate will get an interstitial. It's good marketing attempt by Comodo, but I think it falls down as a practical way forward.

As an example, Stanford's pwdhash takes a user-input password and munges it with the domain name of the site it's being entered into, then hashes that and converts the output to "password appropriate" characters.

I use pwdhash with "low value" users for forum sites and similar, so that I can give the same password every time, but a hypothetical bad guy who steals the forum's incompetently stored password database, or intercepts a non-HTTPS connection only gets working credentials for that one site, unless they brute force the actual "low value" password behind it.

In hindsight something like pwdhash should have been built into the web, but it's too late now.

(Not from Let's Encrypt)

I haven't heard this rumour, but it's possible you are confusing an instruction from sponsors for a rule Let's Encrypt has to obey anyway ?

It's not permissible under the CA/B Baseline Requirements (rules agreed between major CAs and the "Browser vendors" who are these days mostly actually standing in for OS vendors) to issue new certificates for "internal" names such as "exchange2012" or "ny-http-04.example.corp"

All new (since November 2015) certificates must only list names from the Internet's public DNS hierarchy (with a special exception for TOR's .onion names which aren't part of DNS)

Now, it's possible to have real Internet DNS names for servers on an intranet, or indeed on a Mars probe, since it's not required by the rules that the machines actually be connected to the Internet, directly or at all, but a lot of companies prefer internal names. No problem, but a public CA is prohibited from offering certificates for these names.

Long term: Manufacturers are looking at teaching their devices to sort this out for themselves. So you'd be like "Yes, this new surveillance camera is named lobby-04.cameras.example.com. Yes, I agree to the Let's Encrypt Terms of Service. Done".

Short term: You can use certbot with the DNS challenge to get the actual certificates issued, and then a little scripting may be able to paste the right things into the right web forms.

Also: Do surveillance cameras really need to be accessible from the public Internet? Do people need to be able to access the cameras from some iPhone they just bought? This might be a scenario where a private CA is the right option anyway.