On Thu, Nov 27, 2025 at 21:28:46 +1100, Viktor Dukhovni via Postfix-users wrote:
> and are you perhaps willing/able to post a similar follow-up to the
> <[email protected]> and/or <[email protected]> lists?
I'm not subscribed to those lists, sorry.
> Though my main take away from all this is that "2 1 1" is much too
> volatile for most Let's Encrypt users, and they really need to
> consider switching to "3 1 1". ]
I certainly agree that "3 1 1" is preferable (self-manageable, no external
dependencies), but not that this is specific to Let's Encrypt. Other CA's
will also have to switch to shorter-lived roots and longer chains due to
evolving WebPKI policies, intended to encourage crypto agility.
Also, LE themselves recommend to pin their root certificates for TLSA, and
not their intermediates. And even the new YR/YE issuing chains will still
chain up to the old X1/X2 roots. But it's better to include all four roots
in TLS "2 1 1" records - then you don't need tricks to append X1/X2 to the
chain served by your SMTP server anymore.
Geert
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
