[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Petr Špaček
petr.spacek at nic.cz
Fri Aug 30 15:47:37 CEST 2019
On 30. 08. 19 15:14, Jóhann B. Guðmundsson wrote: > On 8/30/19 10:07 AM, Robert Kisteleki wrote: >> On 2019-08-22 10:30, Jóhann B. Guðmundsson wrote: >>> Hi >>> >>> >>> Has there been any dialog about moving the anchors away from using self >>> signed certificates to Let's Encrypt? >>> >>> >>> Regards >>> >>> Jóhann B. >> Hello, >> >> I believe there was no elaborate discussion about this so far. We do >> have TLSA records for all anchors which could be of help depending on >> what you want to achieve. > > > What I'm trying to achieve is that ripe's anchors in data centers follow > the latest security practices and standards, which require among other > things a valid certificate issuer and associated CAA record for > *.anchors.atlas.ripe.net anchors be it from Let's encrypt or Digicert, > ripe's current certificate issuer > > Using a self signed certificate in today's age act's as an indicator > that the security on the device or server in use might be in question ( > if you cant even have an valid certificate issuer on the device or > server when it's free, what other things are you skipping on, underlying > OS and library updates, coding practices etc. ) and thus can negatively > impact the anchor hosting provider security grade, which may lead to > anchors having to be removed from data centers to prevent them from > negatively affect corporation's security ratings. > > If money was the issue why the anchors got deployed with self signed > certificates to begin with, that's not an issue anymore and probably the > community can just get rid of Digicert and actually save money or use > that money for lottery or beer on ripe event(s) . ;) Hold your horses, self-signed cert with proper TLSA records in DNSSEC-signed domain is even better, see https://tools.ietf.org/html/rfc6698 . Besides other things correctly configured TLSA record + client side validation prevents rogue or compromised CAs from issuing "fake but accepted as valid" certs. So I would say RIPE NCC is attempting to do security it in the most modern way available. -- Petr Špaček @ CZ.NIC
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]