> 1) Why did it take so long for an open source version to come into existence ?
Open source tools to run a CA / PKI have existed for a good long time, they just haven't been easy to use.
Automated certificate issuance software has also existed for awhile, but it hasn't been terribly awesome.
The bigger issue is trust - launching a new CA is quite expensive since you need to invest and build all the technology and processes, then get them all audited, and then present the results to the various organizations who control who control which CAs are trusted (see https://cabforum.org/)
The motivation for running a CA has typically been financial - even vendors that provide free certificates (StartSSL, Comodo, etc) have done so as path to moving customers to paid services.
Lets Encrypt/ISRG was kicked off by a group of folks who care deeply about security and had the technical chops and inside knowledge (some (all?) of the founding team) were from Mozilla and had both guidance and experience dealing with the CAB.
In short, there is no good reason not to have done this, and independent of this, another team within Mozilla had started to think about how we could tackle this before we found out the LE work was in flight :)
(Not for ygjb-dupe's interest as I'm sure they know already, but for the sake of the thread)
To slightly expand, getting trusted by the key trust stores (laughably pretending to each represent a "Web browser" at CA/B although nobody would mistake Apple or Microsoft for mere web browser vendors) takes far, far too long to be practical as a first step. Mozilla was fastest and they quote 12-24 months typically, whereas Apple and Oracle are both famously slow to react, and might not sign off on Let's Encrypt for years yet to come.
Well, Let's Encrypt works today, so how did they do that? There's a way to sidestep the trust stores. An existing trusted Certificate Authority can sign a certificate which instead of saying "This is a web server" says basically "This is another Certificate Authority". Let's Encrypt got theirs signed by Identrust. This is called "cross signing". But of course to get an existing CA to sign your CA certificate they need to be sure you're not going to screw up, because it's their reputation on the line as well as yours. So although this is faster than talking to all the CA/B "browser" members for years, it still needed a lot of hard work by ISRG's team.
Indeed, I don't recall atm which one Amazon used for their SSL offerings (which are coupled to AWS iirc), but they used the same approach (while also going through the normal channels).
Open source tools to run a CA / PKI have existed for a good long time, they just haven't been easy to use.
Automated certificate issuance software has also existed for awhile, but it hasn't been terribly awesome.
The bigger issue is trust - launching a new CA is quite expensive since you need to invest and build all the technology and processes, then get them all audited, and then present the results to the various organizations who control who control which CAs are trusted (see https://cabforum.org/)
The motivation for running a CA has typically been financial - even vendors that provide free certificates (StartSSL, Comodo, etc) have done so as path to moving customers to paid services.
Lets Encrypt/ISRG was kicked off by a group of folks who care deeply about security and had the technical chops and inside knowledge (some (all?) of the founding team) were from Mozilla and had both guidance and experience dealing with the CAB.
In short, there is no good reason not to have done this, and independent of this, another team within Mozilla had started to think about how we could tackle this before we found out the LE work was in flight :)