[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today
hanno at hboeck.de
Wed Mar 8 17:06:05 CET 2017
On Wed, 08 Mar 2017 16:53:01 +0100
Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:
> Use Let's Encrypt with your custom CSR, recycle your CSR when
> renewing (which means reusing the KeyPair). No changes in
> TLSA-Records or HPKP needed, because stable Keypair.
I'd say then you're trading one security property for another.
Changing keys regularly is imho a good thing, it gives you some kind of
weak forward secrecy property. IMHO more valuable and less error prone
Imagine someone gets access to an old backup or harddisk of yours. If
you regularly switch keys he won't get an active private key from you.
If you reuse private keys he will.
mail/jabber: hanno at hboeck.de
More information about the Ach