On Mon, May 22, 2023 at 02:34:41PM +0200, Joachim Lindenberg via Postfix-users
wrote:
> reusing the private key for too long (say a year or more) is
> considered a bad security practice. Imho it is easier to monitor
> changes of the issuing CA (I do) or just mark your calendar to update
> in September 2025 than to pin 3 1 1. DonĀ“t want to be fundamental,
> just opinionated. Everyone has to decide on her/his own.
FWIW, I don't agree. There are still ~270 domains publishing TLSA
records matching the long-retired Let's Encrypt X3/X4 CAs. Dilligently
tracking issuing CA transitions is not that easy in practice, and the
security of ACME is fairly dubious.
Key reuse as a *default* rollover approach is robust. When it is time
to change keys, one can do so deliberately, and with due care to
prepublish TLSA records matching the *next* key, then after a few TTLs
deploy the next certificate, and at that point drop the outdated TLSA RR
matching the old keys. Meanwhile, root CAs reuse the same RSA 2048-bit
key for decades.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
