[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Gunnar Haslinger gh.bettercrypto at hitco.at
Wed Mar 8 17:17:38 CET 2017


Am 2017-03-08 17:06, schrieb Hanno Böck:
> I'd say then you're trading one security property for another.

I agree...

but: Before we used Let's Encrypt, we were pretty happy using 
certificates valid for 1 or 2 years. I didn't say: use the keypair 
forever - but changing it every ~60 days is a bit uncomftable, then you 
really have to automate even the HPKP and TLSA/DANE thing. Changing the 
Keypair once a year as we did it before using Let's Encrypt is (in my 
opinion) an acceptable tradeof. Once a year you can spend one hour of 
time to do the whole process manually, but not every 2 month.


More information about the Ach mailing list