The EFF announced this week that they are starting an initiative to get SSL certificates into the hands of everyone on the web with their project: https://letsencrypt.org/
The initial video I saw on it (https://www.youtube.com/watch?v=Gas_sSB-5SU
) shows how it will work on *nix based systems. I happily run Debian web servers for just about everything except my Windows Domain and Exchange Servers (which may be replaced in the next 18 months because MS keeps upping the hardware requirements for new versions of server, and I just can't justify the expense just to run the "new version" of Windows, but that's another story).
I immediately thought this was a good way to do domain level validation in an automated way. Of course, how would this work for SAN certs required for exchange? Or could it? What about IIS? I am not sure there is an easy way to do this with IIS like there is with Apache.
From a security standpoint, what do you guys see as the pitfalls and pluses of this system? (Other than domain validation SSLs are no longer stupidly expensive....)