Heya, I think one of the big "accidental" features of how Let's Encrypt deals with renewing certificates is that it makes certificate revokation workable. In reality neither CRLs nor OCSP work at scale, there used to be a nice webpage that would show statistics on OCSP latency, most CAs would have OCSP instances with latency ranging from 200ms to a few seconds. CRLs grow exponentially in size and you need to keep track of them as well. So while not ideal, these short-lived certs. give you the possibility to automatically "time-out" certs./services that you may have lost control over (worst case). Of course the Let's Encrypt Service (ACME protocol) has the possibility to directly revoke certificates as well.
Just a thought. As for dealing with HPKP: I'd wait for Certbot to properly integrate that, a lot can go wrong there and you'd want proper tests for different software daemons and environments if you're automating HPKP deployment. I'm not sure this feature is on their Roadmap currently, but I know they're aware of HPKP and are considering it. They just have a lot of other pressing issues and integration to get done first. Aaron
signature.asc
Description: Digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
