On 3 Sep 2019, at 11:38, Robert Kisteleki wrote:
On 2019-09-03 11:17, Shane Kerr wrote:
… Sorry for asking this question so late in this thread, but what exactly are the certificates used for?
The anchors provide very basic services intended to help users who want to use the anchors as measurement targets. They answer incoming ping, DNS and HTTP(S) queries (see https://atlas.ripe.net/docs/anchors/). The HTTP(S) service can respond with pages of various sizes which is intended to help PMTUD tests for example.
It's possible that someone would want to check the TLS certificate of the measured anchor, in which case a "proper" certificate may come handy.
Regards, Robert
Going back to Jóhann, who brought this up: “Using a self signed certificate in today's age act's as an indicator that the security on the device or server in use might be in question … and thus can negatively impact the anchor hosting provider security grade, which may lead to anchors having to be removed from data centers to prevent them from negatively affect corporation's security ratings.” So we have devices that expose the https port and respond with a self signed cert. Any security audit will flag that. Rather than explain to the auditors that there is no ‘real’ http service here, it is a measurement device, … Jóhann suggests to put an acceptably signed cert there. To me this sounds like a no-brainer to make life easier for anchor hosts and not an ideological issue about which CA to use or about other methods of securing https. So can we deploy certs that will satisfy the security audit and get on with life? Daniel