On Tue, 23 Aug 2016, Phillip Carroll wrote:
> I am now convinced that exim, or possibly the 'email subsystem', as it were,
> should have its own dedicated certificate and key. Among the many reasons for
> not sharing the LE-backed Web certificate is its short duration. As pointed
> out on another exim thread, this short duration can create a logistical
> nightmare to support some email-related features.
>
> I also now have security concerns about sharing a private key among some
> amorphous group of unrelated software entitities. It seems to make more sense
> to dedicate certificates for different purposes. Originally, my idea was to
> take advantage of an automated cert-renewal process, but in light of how
> things actually work, I no longer see that as a priority.
I agree that sharing a private key between loosely related,
(or unrelated) services is a bad idea.
There was a thread in mailop@??? last month
(those of you with access can start at
https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2016-June/008120.html
but their web cert expired in February so your browser should object)
about dropping TLS1.0 from smtp servers; the conclusion appeared to
be that although the time may have come to drop TLS1.0 for web, it has
not yet come for SMTP.
It occurred to me that in the light of the DROWN vunerability,
services/protocols with different security configurations should not share
certificates *or certificates which would be valid for the other service*.
--
Andrew C Aitchison