[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today
Gunnar Haslinger
gh.bettercrypto at hitco.at
Fri Mar 17 09:52:54 CET 2017
Am 2017-03-17 09:32, schrieb Aaron Zauner:
> Maybe I misunderstand, but why would you want to do that? You can do
> a key-rollover just fine with HPKP headers and TLSA records.
Sure, but that needs time and a solid understanding of HPKP and/or TLSA
for preparing a new Keypair (and/or new Backup-Keypair), deploy the new
TLSA-Records and HPKP Headers ... The recent discussion was like "sure,
you can handle this, but you can easily knock yourself out if you don't
know what you have to do exactly in which order and period of time".
As long as you don't automate the TLSA and/or HPKP Keychange you
probably don't want to change your Keys every ~60-80 Days manually when
using TLSA and/or HPKP with Let's Encrypt.
Using Let's Encrypt with CSRs keeps the Keypair stable as long as you
like - no headache regarding TLSA/HPKP.
My personal opinion: as long as I have no indication my Keypair got
compromised (Server-Hack etc...) I keep the Keys used with HPKP/TLSA for
one year before changing them and do the HPKP+TLSA-Update only once a
year, not every two month.
More information about the Ach
mailing list