Am 2017-03-08 16:32, schrieb Hanno Böck:
This is one of the reasons why these days I tend to advise against HPKP
with the exception of high risk sites. There's just far too much that
can go wrong with HPKP.
Several possibilities to handle this risk:
Use Let's Encrypt with your custom CSR, recycle your CSR when renewing
(which means reusing the KeyPair). No changes in TLSA-Records or HPKP
needed, because stable Keypair.
If you used the certbot to create everything for you, you can still
switch to CSR-Mode as long as you have access to your
Pub/Priv-RSA-Keypair of your current certificate.
When you like to Change the Keypair:
1) do it early, so you have time to insert additional HPKP and TLSA
entrys
2) do it with the prepared spare-Key. HPKP enforces you to have a
Backup-Keypair, only pinning one PubKey doesn't work, RFC says you have
to have at least one Backup Key pinned which is currently unused.
Browsers don't enforce the HPKP-mechanism if you don't use an unused
Backup-Key (at least I checked this with Chrome and Firefox).
But I agree with Hanno: If you feel uncomftable to handle this
technology right, better don't use it. High chance something goes wrong,
because not doing it the right way.
_______________________________________________
Ach mailing list
[email protected]
http://lists.cert.at/cgi-bin/mailman/listinfo/ach
