[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today
Hanno Böck
hanno at hboeck.de
Fri Mar 17 10:24:23 CET 2017
On Fri, 17 Mar 2017 09:52:54 +0100
Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:
> Sure, but that needs time and a solid understanding of HPKP and/or
> TLSA for preparing a new Keypair (and/or new Backup-Keypair), deploy
I said this before, I'll say it again: If you don't have a solid
understanding of HPKP then *don't use it ever*. Don't even think about
it. Your chances of making your page unavailable are extremely high.
HPKP is a nice feature, but it absolutely requires a solid
understanding and a good plan to avoid its pitfalls. If you're not
capable of having a good keyrolover plan then you shouldn't deploy HPKP.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
More information about the Ach
mailing list