[exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice rando…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni via Exim-users
Datum:  
To: exim-users
Betreff: [exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.
On Thu, Nov 16, 2023 at 07:41:46PM +0000, Slavko via Exim-users wrote:

> >If you're using Let's Encrypt as your CA and prefer to publish
> >DANE-TA(2), rather than DANE-EE(3) TLSA records, please look over:
>
> Just curious. Enough recent certbot provides --reuse-key and --new-key
> (or so) options, thus one can stay with DANE-EE records. Please, beside
> using ACME client which doesn't support that, is it still useful to use
> DANE-TA with LE?


I don't recommend DANE-TA(2), and encourage use of DANE-EE(3) instead.

This avoids unnecessary trust in the CA's usually weak "DV" certificate
issuance, and gives you more control over the timing of changes.

You do however need to be more sophisticated about any key rollovers
that you do perform from time to time.

I have a partial (usabel work-in-progress) solution to that workflow for
"certbot" in the form of:

        https://github.com/tlsaware/danebot


and there are other tools that take a similar approach. I would love to
see code contributions that flesh out "danebot" to make it more "feature
compleet", adding support for robust (retried to ensure "at least" one
successful activation) hooks and for changes in the list of requested
domains without forcing a key rollover.

Any motivated and suitably skilled volunteers?

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/