[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 14 03:21:59 CET 2017

On Wed 2017-03-08 11:06:05 -0500, Hanno Böck wrote:
> Changing keys regularly is imho a good thing, it gives you some kind of
> weak forward secrecy property. IMHO more valuable and less error prone
> than HPKP.

This isn't forward secrecy at all.  With modern TLS, the only mode is
forward secret.  What you're describing is active endpoint

> Imagine someone gets access to an old backup or harddisk of yours. If
> you regularly switch keys he won't get an active private key from you.
> If you reuse private keys he will.

This is a pretty narrow threat model, but i agree with you that it's
something that some people my find it worthwhile to consider.

however, a better approach would be a scheduled transition from one key
to the next, with an offline next-key introduced via hpkp before it is
deployed.  improving ACME clients to handle this kind of workflow in a
sane way by default would be very helpful.


More information about the Ach mailing list