[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today
Gunnar Haslinger
gh.bettercrypto at hitco.at
Wed Mar 8 17:17:38 CET 2017
Am 2017-03-08 17:06, schrieb Hanno Böck:
> I'd say then you're trading one security property for another.
I agree...
but: Before we used Let's Encrypt, we were pretty happy using
certificates valid for 1 or 2 years. I didn't say: use the keypair
forever - but changing it every ~60 days is a bit uncomftable, then you
really have to automate even the HPKP and TLSA/DANE thing. Changing the
Keypair once a year as we did it before using Let's Encrypt is (in my
opinion) an acceptable tradeof. Once a year you can spend one hour of
time to do the whole process manually, but not every 2 month.
More information about the Ach
mailing list