They take CAcert.org principle and advertise about it.
First thing is good !
Problems with TLS/SSL begin with the commands.
SSL commands are bad designed, and their author deserved to be put in jail with a lion or submitted to one of the Saw’s punishments (I particularly think of Mark Wilson, also software engineer).
The idea there is to create a ssl management tool which would avoid headache each time you have to work with it. Good !
But… There is a but… By default, we don’t see SSL certification chain generation, leading to a lack of confidence, which is essential there.
You have to see and print the commands on screen.
Possible, they do it in the demo video. It must be the default.
And we should have a little bit more options…
But, be happy ! There will be an easy-to-use tool to manage SSL !
It is still a CA ! So to break the whole https web, you just need to break it. And an automatic CA. Doesn’t mean that a real CA would be more safe. I just believe pirates will bbe happy playing and cracking the cert robot.
By the way : by creating a new CA, Mozilla decrease its own income, because it finance itself by auditing corporate CAs.
And finally : who pays ? because, of course certs will be free of charge, but there is a need for support (a server for the CA and its robot, a website, doc, maintenance, safety, communication…)
The true solution
The true solution would be to push more to use DNSSEC and DANE.
Name servers already know how to automatically sign domains (BIND and Knot can do) or other softwares (OpenDNSSEC and ZTK)
It’s not simple. But rather than depending of a single point of failure (this CA. The CA model has been criticized precisely on that point), you rely on the whole DNS safety, insured by DNSSEC from end to end, and finally your own skills, which were already needed but with this new tool, easier to manage.