On 30. 08. 19 15:14, Jóhann B. Guðmundsson wrote:
On 8/30/19 10:07 AM, Robert Kisteleki wrote:
On 2019-08-22 10:30, Jóhann B. Guðmundsson wrote:
Hi
Has there been any dialog about moving the anchors away from using self signed certificates to Let's Encrypt?
Regards
Jóhann B. Hello,
I believe there was no elaborate discussion about this so far. We do have TLSA records for all anchors which could be of help depending on what you want to achieve.
What I'm trying to achieve is that ripe's anchors in data centers follow the latest security practices and standards, which require among other things a valid certificate issuer and associated CAA record for *.anchors.atlas.ripe.net anchors be it from Let's encrypt or Digicert, ripe's current certificate issuer
Using a self signed certificate in today's age act's as an indicator that the security on the device or server in use might be in question ( if you cant even have an valid certificate issuer on the device or server when it's free, what other things are you skipping on, underlying OS and library updates, coding practices etc. ) and thus can negatively impact the anchor hosting provider security grade, which may lead to anchors having to be removed from data centers to prevent them from negatively affect corporation's security ratings.
If money was the issue why the anchors got deployed with self signed certificates to begin with, that's not an issue anymore and probably the community can just get rid of Digicert and actually save money or use that money for lottery or beer on ripe event(s) . ;)
Hold your horses, self-signed cert with proper TLSA records in DNSSEC-signed domain is even better, see https://tools.ietf.org/html/rfc6698 . Besides other things correctly configured TLSA record + client side validation prevents rogue or compromised CAs from issuing "fake but accepted as valid" certs. So I would say RIPE NCC is attempting to do security it in the most modern way available. -- Petr Špaček @ CZ.NIC