[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Hanno Böck hanno at hboeck.de
Wed Mar 8 17:06:05 CET 2017

On Wed, 08 Mar 2017 16:53:01 +0100
Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:

> Use Let's Encrypt with your custom CSR, recycle your CSR when
> renewing (which means reusing the KeyPair). No changes in
> TLSA-Records or HPKP needed, because stable Keypair.

I'd say then you're trading one security property for another.

Changing keys regularly is imho a good thing, it gives you some kind of
weak forward secrecy property. IMHO more valuable and less error prone
than HPKP.

Imagine someone gets access to an old backup or harddisk of yours. If
you regularly switch keys he won't get an active private key from you.
If you reuse private keys he will.

Hanno Böck

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

More information about the Ach mailing list