On Mon, 4 Dec 2023 14:20:34 -0500
"'Phil Porada' via [email protected]"
<[email protected]> wrote:
> 1. We will be generating 5 RSA and 5 ECDSA intermediates, instead
> of 2 each. We plan to automatically rotate issuance between multiple
> intermediates for improved redundancy.
I'm curious what exactly that means. Do you mean you will basically
pick an intermediate at random and an ACME user will have no way of
knowing previously which intermediate one will get?
I expect that there are likely plenty of LE users out there that have
setups where the certificate is dynamically generated, but the
intermediate configured statically. (I know I have such setups myself,
with the expectation that a new intermediate is rare enough and I'll
always learn about it in advance, so I can react manually.)
Now, I'm not necessarily saying that this is a reason not to do it. If
LEs intention is that for improved agility they don't want to support
setups that cannot handle constantly changing intermediates, that's
understandable.
However, you should expect that this will create some problems, and
probably an increased amount of support requests once you start doing
this. Given that browsers cache intermediates, such errors can be hard
to debug ("it does not work in this device/browser, but in this one
everything is fine"). Tools like ssllabs detect these issues, but this
stuff is often confusing for people not deeply familiar with TLS+WebPKI.
--
Hanno Böck
https://hboeck.de/
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20231205213528.40d173a3.hanno%40hboeck.de.
