[Ach] bettercrypto.org certificate has expired today

Alexander Wuerstlein arw at cs.fau.de
Wed Mar 8 16:28:35 CET 2017 

On 2017-03-08T16:05, Terje Elde <terje at elde.net> wrote:
> 
> > On 08 Mar 2017, at 14:19, Hanno Böck <hanno at hboeck.de> wrote:
> > 
> > What you should do is to request a new cert with a reasonable
> > timeframe before your old one expires (one could probably argue forever
> > what a reasonable timeframe is, but I'd say something between 10 and 30
> > days).
> 
> Renewal is a common problem.  Is this something that the guide should spend a few words on?
> 
> 
> My experience in my own circles, have mostly been that it’s not too hard to get consensus that appropriate time is something like:
> 
> How long it will take you to notice that cert is approaching limit. (24 hours?)
>  + However long it will take you to replace manually using plan A. (a day?)
>  + However long it will take you to replace manually using plan B (manually order from alternative CA for example) (a week?)
>  + How however long it will take to cycle new cert into production, accounting for things like DNS TTLs, having Apps put through approval at App Store, or whatever might be required) (2-14 days, depending?)
>  + Margins (two weeks?)
> 
> That should land you somewhere between 25 and 37 days, depending, for a *comfortable* margin to replace.
> 
> Point is just that it’s very easy for those with less experience at running systems to forget about things like detection time, planning for having to go to a plan B for a new certs, planning in margins, and so on.  Easy to slip up.

There is another factor if one is bold enough to use it: The max-age of
HPKP-Pins and administrative change time and TTL of TLSA DNS entries.
Especially HPKP max-age must be _added_ to the aforementioned times if
there is a chance that one would change the keypair when obtaining a new
certificate. Recommendations for max-age are in the order of a month or
even more.

However, in my opinion, one would have to be mad to use any HPKP max-age
longer than maybe a week with letsencrypt.



Ciao,

Alexander Wuerstlein.

More information about the Ach mailing list