[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Gunnar Haslinger gh.bettercrypto at hitco.at
Fri Mar 17 09:52:54 CET 2017

Am 2017-03-17 09:32, schrieb Aaron Zauner:

> Maybe I misunderstand, but why would you want to do that? You can do
> a key-rollover just fine with HPKP headers and TLSA records.

Sure, but that needs time and a solid understanding of HPKP and/or TLSA 
for preparing a new Keypair (and/or new Backup-Keypair), deploy the new 
TLSA-Records and HPKP Headers ... The recent discussion was like "sure, 
you can handle this, but you can easily knock yourself out if you don't 
know what you have to do exactly in which order and period of time".

As long as you don't automate the TLSA and/or HPKP Keychange you 
probably don't want to change your Keys every ~60-80 Days manually when 
using TLSA and/or HPKP with Let's Encrypt.

Using Let's Encrypt with CSRs keeps the Keypair stable as long as you 
like - no headache regarding TLSA/HPKP.

My personal opinion: as long as I have no indication my Keypair got 
compromised (Server-Hack etc...) I keep the Keys used with HPKP/TLSA for 
one year before changing them and do the HPKP+TLSA-Update only once a 
year, not every two month.

More information about the Ach mailing list