[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Aaron Zauner azet at azet.org
Tue Mar 14 06:32:28 CET 2017


I think one of the big "accidental" features of how Let's Encrypt
deals with renewing certificates is that it makes certificate
revokation workable. In reality neither CRLs nor OCSP work at scale,
there used to be a nice webpage that would show statistics on OCSP
latency, most CAs would have OCSP instances with latency ranging
from 200ms to a few seconds. CRLs grow exponentially in size and you
need to keep track of them as well. So while not ideal, these
short-lived certs. give you the possibility to automatically
"time-out" certs./services that you may have lost control over
(worst case). Of course the Let's Encrypt Service (ACME protocol)
has the possibility to directly revoke certificates as well.

Just a thought.

As for dealing with HPKP: I'd wait for Certbot to properly integrate
that, a lot can go wrong there and you'd want proper tests for
different software daemons and environments if you're automating
HPKP deployment. I'm not sure this feature is on their Roadmap
currently, but I know they're aware of HPKP and are considering it.
They just have a lot of other pressing issues and integration to get
done first.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20170314/7ca44d12/attachment.sig>

More information about the Ach mailing list