[CentOS] Certificates

Fri Aug 31 22:42:12 UTC 2018
Robert Moskowitz <rgm at htt-consult.com>


On 08/31/2018 05:54 PM, John R. Dennison wrote:
> On Fri, Aug 31, 2018 at 05:30:53PM -0400, Robert Moskowitz wrote:
>> Letsencrypt is a very important development, but it has (IMHO) a shaking
>> foundation.  I would not build a production system around it.  But then I
>> have lived in aspects of PKI since '95...
> I presume you meant "shaky foundation"?

Yes.  I am not in California (or similar earthquake place!)  Good old 
stable Michigan (we do get mild ones once in a while.  :)

> If so, would you care to elaborate

It is designed for getting web servers quickly into TLS and then to a 
more stable provider.  "Make the web safe for all".  If your content is 
short information, your contacts will never notice that you go to a new 
cert quarterly.  Long-term users might also never see this, but I can 
see web services where a new cert every 90 days will cause a pain point.

And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant 
changing certs even with a long lived root may get old for your customers.

Plan on this to 'get into the pool', but not to live with it for more 
than a year.

Unfortunately, there has never been an effective business model for 
small customers.

We are kind of close with DMARC, but I think it misses the mark. Putting 
your domain root cert into your DNSSEC signed domain should be all that 
is needed to establish a rooted trust.

I have to speak with some IETF colleagues on this (particularly in 
DNSSEC and DMARC)....