On Wed, 08 Mar 2017 16:53:01 +0100 Gunnar Haslinger <[email protected]> wrote:
> Use Let's Encrypt with your custom CSR, recycle your CSR when > renewing (which means reusing the KeyPair). No changes in > TLSA-Records or HPKP needed, because stable Keypair. I'd say then you're trading one security property for another. Changing keys regularly is imho a good thing, it gives you some kind of weak forward secrecy property. IMHO more valuable and less error prone than HPKP. Imagine someone gets access to an old backup or harddisk of yours. If you regularly switch keys he won't get an active private key from you. If you reuse private keys he will. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
