On 2019-09-03 11:17, Shane Kerr wrote: > Robert, > > On 03/09/2019 09.57, Robert Kisteleki wrote: >> >>> Still no one has answered why ripe is using self signed certs for anchor >>> when they can use let's encrypt for free... >> >> TL;DR if the community prefers it we use LE (+TLSA). >> >> This comes with the expense of some one-time and ongoing operational >> work. Considering that anchors don't host any sensitive information, >> using self-signed certs (+TLSA) was so far considered good enough. > > Sorry for asking this question so late in this thread, but what exactly > are the certificates used for? The anchors provide very basic services intended to help users who want to use the anchors as measurement targets. They answer incoming ping, DNS and HTTP(S) queries (see https://atlas.ripe.net/docs/anchors/). The HTTP(S) service can respond with pages of various sizes which is intended to help PMTUD tests for example. It's possible that someone would want to check the TLS certificate of the measured anchor, in which case a "proper" certificate may come handy. Regards, Robert
- [atlas] SSL Certificates for ripe anchors Sylvain BAYA
- Re: [atlas] SSL Certificates for ripe anchor... Carsten Schiefner
- Re: [atlas] SSL Certificates for ripe anchor... Bjørn Mork
- Re: [atlas] SSL Certificates for ripe anchor... Carsten Schiefner
- [atlas] SSL Certificates for ripe anchors Sylvain BAYA
- Re: [atlas] SSL Certificates for ripe anchor... Bjørn Mork
- Re: [atlas] SSL Certificates for ripe anchor... Carsten Schiefner
- Re: [atlas] SSL Certificates for ripe anchor... Daniel Karrenberg
- [atlas] SSL Certificates for ripe anchors Sylvain BAYA
- Re: [atlas] SSL Certificates for ripe anchor... Shane Kerr
- Re: [atlas] SSL Certificates for ripe anchor... Robert Kisteleki
- Re: [atlas] SSL Certificates for ripe anchor... Daniel Karrenberg
- Re: [atlas] SSL Certificates for ripe anchor... Randy Bush
- Re: [atlas] SSL Certificates for ripe anchor... Robert Kisteleki
- Re: [atlas] SSL Certificates for ripe anchor... Marcel Flores
- Re: [atlas] SSL Certificates for ripe anchors Randy Bush
- Re: [atlas] SSL Certificates for ripe anchor... Bjørn Mork
- Re: [atlas] SSL Certificates for ripe anchor... Jóhann B . Guðmundsson
- Re: [atlas] SSL Certificates for ripe anchor... Gert Doering
- Re: [atlas] SSL Certificates for ripe anchor... Randy Bush