Just to weigh in as both an Anchor host and a heavy Atlas user: we've found the self-signed certificates to be a non-issue. While I will not deny that they do show up in many internal security scans, self-signed certs fall well below other "issues" such as open ports, non-standard responses to version.bind queries, and strange traffic patterns. Such concerns are, however, mitigated by the understanding that the anchors are measurement points, and therefore may generate, and be subject to, non-standard (or perceived as traditionally insecure) behaviors. I can appreciate that there may be measurements (*i.e. *using the platform) that would be made easier with non-self-signed certificates, but I'm not sure I've seen that discussed here. -m On Wed, Sep 4, 2019 at 3:00 AM Robert Kisteleki <robert@ripe.net> wrote:
On 2019-09-03 17:03, Randy Bush wrote:
been using LE+TLSA for a loooong time. like 94 of us, i have recipies (for LE for sites w/o web services) if you need them. please do it. it's prudent.
randy
Thank you Randy for the offer!
We'll check what it takes to add this to the anchors, and report back soon.
Regards, Robert
-- *Marcel Flores, PhD* | Sr. Research Scientist research.verizondigitalmedia.com | AS15133 <https://www.peeringdb.com/asn/15133> e: marcel.flores@verizondigitalmedia.com 13031 W Jefferson Blvd. Building 900, Los Angeles, CA 90094