Internet Security Research Group

Internet Security Research Group (ISRG) is a U.S.-based tax-exempt public-benefit nonprofit^[1][2] focused on improving Internet security and privacy by operating public-interest security infrastructure projects.^[1] It is best known for operating Let's Encrypt, a publicly trusted Certificate Authority that issues free, automated [[TLS certificates at global scale.^[3]

History[edit | edit source]

ISRG was founded in May 2013 as a nonprofit home for public-benefit digital infrastructure projects.^[1][4] ISRG’s founding directors were Josh Aas and Eric Rescorla, and early institutional support for the effort came from organizations including Mozilla, the Electronic Frontier Foundation (EFF), the University of Michigan, Cisco, and Akamai.^[1]

Projects[edit | edit source]

Let's Encrypt[edit | edit source]

Let's Encrypt is ISRG’s best-known project and a major driver of mainstream deployment of HTTPS on the public web.^[3] Let’s Encrypt was designed to remove cost and operational friction from certificate issuance by combining free certificates with high automation. In ISRG’s reporting, Let’s Encrypt has operated at a scale measured in hundreds of millions of websites, issuing large volumes of certificates daily.^[3][5]

A core enabling component of this model is the ACME Protocol (Automatic Certificate Management Environment), standardized at the IETF as RFC 8555.^[6] ACME allows certificate requests, domain control validation, issuance, and renewal to be performed programmatically, which is particularly relevant as the web PKI ecosystem trends toward shorter certificate lifetimes and more frequent automation-driven renewals.^[7]

Prossimo[edit | edit source]

Prossimo is ISRG’s initiative to reduce systemic software vulnerabilities by supporting migration of security-sensitive infrastructure to memory-safe implementations, including projects in the broader Internet services stack.^[1][8]

Divvi Up[edit | edit source]

Divvi Up is a privacy-preserving telemetry and metrics aggregation effort, intended to support measurement while limiting collection of identifiable user-level data.^[1][9]

Governance and policy relevance[edit | edit source]

ISRG’s work sits at the intersection of technical standards and operational governance for the web’s trust infrastructure. While ISRG is not part of the ICANN ecosystem, its flagship project depends on global uniqueness and stability of the Domain Name System (DNS) for certificate issuance and validation workflows, since certificates authenticate control of DNS names in the Web PKI model.^[6]

Operationally, ISRG participates in a multi-actor environment where browser root programs and the CA/Browser Forum establish baseline issuance and validation requirements, and the IETF standardizes protocols like ACME that shape how automation is implemented across the ecosystem.^[7][6] In practice, this combination has shifted certificate deployment from a largely manual, paid service model toward an automated, high-volume baseline expectation for public-facing services, with follow-on effects for hosting providers, registrars, CDNs, and enterprise IT operations.^[3]

ISRG publishes public documentation and open source code supporting these projects, including organizational repositories and implementation components maintained on GitHub.^[10]

See also[edit | edit source]

• IETF

References[edit | edit source]