[exim] TAKE NOTE 3: Upcoming new Let's Encrypt intemediate i…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Viktor Dukhovni via Exim-users
Ημερομηνία:  
Προς: exim-users
Παλιά Θέματα: [exim] TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.
Καινούρια Θέματα: [exim] More changes (2024-06-06) at Let's Encrypt affecing DANE-TA(2) TLSA records
Αντικείμενο: [exim] TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.
My previous post on this topic noted that covered Let's Encrypt are
planning to *randomise* the choice of intermediate issuer CA used with
each renewal.

It now turns out that they will also be switching to new underlying
intermediate CAs. So you'll a random choice of *new* issuers.

    https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/m/k_vdk9rQAwAJ


    - We will be generating 5 RSA and 5 ECDSA intermediates, instead of 2
      each. We plan to automatically rotate issuance between multiple
      intermediates for improved redundancy.


    - We will be shortening their validity period from 5 years to 3 years,
      to reflect our commitment to issue new intermediates every 2 years.


So anyone relying on DANE-TA(2) (certificate usage 2) needs to closely
watch for upcoming announcements from LE, and be prepared to add TLSA
records for the new intemediates soon. Or stop playing their game, and
switch to a robust "3 1 1" + "3 1 1" model with a stable by default
key during certificate renewals.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/