My previous post on this topic noted that covered Let's Encrypt are
planning to *randomise* the choice of intermediate issuer CA used with
each renewal.
It now turns out that they will also be switching to new underlying
intermediate CAs. So you'll a random choice of *new* issuers.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/m/k_vdk9rQAwAJ
- We will be generating 5 RSA and 5 ECDSA intermediates, instead of 2
each. We plan to automatically rotate issuance between multiple
intermediates for improved redundancy.
- We will be shortening their validity period from 5 years to 3 years,
to reflect our commitment to issue new intermediates every 2 years.
So anyone relying on DANE-TA(2) (certificate usage 2) needs to closely
watch for upcoming announcements from LE, and be prepared to add TLSA
records for the new intemediates soon. Or stop playing their game, and
switch to a robust "3 1 1" + "3 1 1" model with a stable by default
key during certificate renewals.
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
planning to *randomise* the choice of intermediate issuer CA used with
each renewal.
It now turns out that they will also be switching to new underlying
intermediate CAs. So you'll a random choice of *new* issuers.
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/m/k_vdk9rQAwAJ
- We will be generating 5 RSA and 5 ECDSA intermediates, instead of 2
each. We plan to automatically rotate issuance between multiple
intermediates for improved redundancy.
- We will be shortening their validity period from 5 years to 3 years,
to reflect our commitment to issue new intermediates every 2 years.
So anyone relying on DANE-TA(2) (certificate usage 2) needs to closely
watch for upcoming announcements from LE, and be prepared to add TLSA
records for the new intemediates soon. Or stop playing their game, and
switch to a robust "3 1 1" + "3 1 1" model with a stable by default
key during certificate renewals.
--
Viktor.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/