On Tue, Dec 5, 2023 at 2:30 PM Jeffrey Walton <noloa...@gmail.com> wrote:
> Key continuity is a much better security property than what key > rotation provides. Loss of key continuity exposed Diginotar. Why would > LE discourage it? > This is contrary to the current industry consensus. Root programs are moving to limit CA lifetimes: Mozilla recently instituted a policy <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#74-root-ca-lifecycles> that root key material will not be trusted for more than 15 years, and Chrome has announced their desire <https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/#encouraging-modern-infrastructures-and-agility> to limit root certificates to 7 years and intermediate certificates to 3 years. We prefer to be proactive, and also prefer to have a buffer between our practices and the strictest requirements, so we are shortening our intermediate lifetimes now. Note also that, while Google did detect the fraudulent diginotar *. google.com certificate thanks to HPKP key pinning, it was the root key that was pinned, not an intermediate. And at the time, we didn't yet have certificate transparency logs, let alone browsers enforcing the presence of SCTs. > What advantages? > Today, every time we switch to new intermediates we have to deal with the problem Hanno Böck described -- breakages because people have setups that assume our intermediates will be static. This happens regularly, because intermediates expire. Switching to a system where the intermediates are changing constantly forces clients to be able to properly use the intermediate which actually issued the new certificate, rather than making assumptions about that intermediate. This will prevent similar breakages when we issue the next batch of intermediates. Basically, we're trading a slightly higher expected breakage / support load during this intermediate transition for drastically lower breakage during all future intermediate transitions. Hmmm... We use Apache, SSLCertificateChainFile and SSLCertificateFile. > LE is just creating more work for us. > To the best of my knowledge, there are multiple ACME clients that can populate Apache's SSLCertificateChainFile from the intermediate provided along with the certificate at the end of the ACME issuance flow. Thanks, Aaron -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcVkLwwUt8cBpSfDLMpJu4MRgpCoRdQ%3Du2Ayu8%3DYOF9TA%40mail.gmail.com.