What does HackerNews think of boulder?
An ACME-based certificate authority, written in Go.
For proprietary software it's idiomatic to use a private CA for securing connections to a central server, to avoid the risk of DNS hijacking or a malicious third-party CA. For open-source software it will, definitionally, allow substituting different server key validation options for users who prefer to run their own servers.
The only real problem QUIC's mandatory TLS causes is that localhost development becomes marginally more difficult, but even as someone who loves running my in-development stuff on localhost it's clear that the security of the internet as a whole is of far greater value.
The reality is that they are storing information during challenges, implementing rate limiting per-account, supporting OCSP validation and a few other things.
You can investigate further if you really want to see the queries that they make against the database since their software (Boulder) is open source [1]. Most queries are in the files in the "sa" (storage authority) folder.
As far as I know there's only one serious server-side implementation right now, and that's Let's Encrypt's open-source Boulder project: https://github.com/letsencrypt/boulder
Ideally you'd have some way of tying it into some internal authorization database instead of relying on HTTP challenges, but HTTP challenges would work too.
Also the server for LetsEncrypt is open source [1] and comes with test scripts to run it during development and testing to avoid premature exposure to the public instance of LetsEncrypt.
- Development of the official client[1] and boulder[2], the CA server software behind Let's Encrypt. Both are relatively big projects with lots of things to add/improve on.
- Hosting CA servers in two separate data centers. HSMs for key storage are usually rather expensive as well. CRLs and OCSP are quite bandwidth-intensive[3], that's probably where Akamai's sponsorship comes in. Ops teams have to be available 24/7 in case of outages.
- I'd guess the auditing costs are quite substantial as well. I'm not sure what's necessary to get added to the various root programs out there (Microsoft, Mozilla etc.), but I doubt it's free (unless that's part of some sponsorship).
(I'm not affiliated with Let's Encrypt, just my perspective)
[1]: https://github.com/letsencrypt/letsencrypt [2]: https://github.com/letsencrypt/boulder [3]: https://blog.cloudflare.com/the-hard-costs-of-heartbleed/
Contributing to our software is one way to help:
https://github.com/letsencrypt/boulder
https://github.com/letsencrypt/lets-encrypt-preview
Also, if you work for a company that might be interested in sponsoring us, starting that conversation is another great way to help out.
While I'm sure they have something ready[0], I'm not sure they have a fully-worked-out policy for running it (required to get into certificate chains), or a production deployment of it, or a third-party vulnerability test of it.
Additionally, ACME verification is a vaguely complicated protocol which will likely need a tool to sign the various messages involved (or you're going to be looking at munging together OpenSSL commands), and you're looking at the developer preview of that.