[Ach] Let's Encrypt + TLSA, DANE, HPKP, ... - was: bettercrypto.org certificate has expired today

Hanno Böck hanno at hboeck.de
Fri Mar 17 10:24:23 CET 2017

On Fri, 17 Mar 2017 09:52:54 +0100
Gunnar Haslinger <gh.bettercrypto at hitco.at> wrote:

> Sure, but that needs time and a solid understanding of HPKP and/or
> TLSA for preparing a new Keypair (and/or new Backup-Keypair), deploy

I said this before, I'll say it again: If you don't have a solid
understanding of HPKP then *don't use it ever*. Don't even think about
it. Your chances of making your page unavailable are extremely high.

HPKP is a nice feature, but it absolutely requires a solid
understanding and a good plan to avoid its pitfalls. If you're not
capable of having a good keyrolover plan then you shouldn't deploy HPKP.

Hanno Böck

mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

More information about the Ach mailing list