Re: Certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

1 sep 2018 kl. 00:42 skrev Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>:

> On 08/31/2018 05:54 PM, John R. Dennison wrote:
>> On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:
>>> Letsencrypt is a very important development, but it has (IMHO) a shaking
>>> foundation.  I would not build a production system around it.  But then I
>>> have lived in aspects of PKI since '95...
>> I presume you meant "shaky foundation"?
> 
> Yes.  I am not in California (or similar earthquake place!)  Good old stable Michigan (we do get mild ones once in a while.  :)
> 
>> If so, would you care to elaborate
> 
> It is designed for getting web servers quickly into TLS and then to a more stable provider.  "Make the web safe for all".  If your content is short information, your contacts will never notice that you go to a new cert quarterly.  Long-term users might also never see this, but I can see web services where a new cert every 90 days will cause a pain point.
> 
> And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant changing certs even with a long lived root may get old for your customers.
> 
> Plan on this to 'get into the pool', but not to live with it for more than a year.
> 
> Unfortunately, there has never been an effective business model for small customers.
> 
> We are kind of close with DMARC, but I think it misses the mark. Putting your domain root cert into your DNSSEC signed domain should be all that is needed to establish a rooted trust.
> 
> I have to speak with some IETF colleagues on this (particularly in DNSSEC and DMARC)....

I'm not sure I still see the point you're trying to make. What actual practical and concrete problems are you suggesting may arise in the situations you touch on above?

As far as I know, if you have a properly set up LE certificate for a service, and renew it regularly, clients will not have a problem with this. They trust the root CA, and when you renew/replace the certificate, they will happily trust the new one, over and over again.

Considering all relevant root trust stores now contain LE's CA, it's here to stay from what I can tell, not to mention it's working well so far.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux