On 08/31/2018 05:54 PM, John R. Dennison wrote:
On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:
Letsencrypt is a very important development, but it has (IMHO) a shaking
foundation. I would not build a production system around it. But then I
have lived in aspects of PKI since '95...
I presume you meant "shaky foundation"?
Yes. I am not in California (or similar earthquake place!) Good old
stable Michigan (we do get mild ones once in a while. :)
If so, would you care to elaborate
It is designed for getting web servers quickly into TLS and then to a
more stable provider. "Make the web safe for all". If your content is
short information, your contacts will never notice that you go to a new
cert quarterly. Long-term users might also never see this, but I can
see web services where a new cert every 90 days will cause a pain point.
And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant
changing certs even with a long lived root may get old for your customers.
Plan on this to 'get into the pool', but not to live with it for more
than a year.
Unfortunately, there has never been an effective business model for
small customers.
We are kind of close with DMARC, but I think it misses the mark. Putting
your domain root cert into your DNSSEC signed domain should be all that
is needed to establish a rooted trust.
I have to speak with some IETF colleagues on this (particularly in
DNSSEC and DMARC)....
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
