On Tue, Dec 5, 2023, 12:35 Hanno Böck <[email protected]> wrote: > On Mon, 4 Dec 2023 14:20:34 -0500 > "'Phil Porada' via [email protected]" > <[email protected]> wrote: > > > 1. We will be generating 5 RSA and 5 ECDSA intermediates, instead > > of 2 each. We plan to automatically rotate issuance between multiple > > intermediates for improved redundancy. > > I'm curious what exactly that means. Do you mean you will basically > pick an intermediate at random and an ACME user will have no way of > knowing previously which intermediate one will get? >
Yes. In practice, it might be something like "which data center issues the certificate determines which intermediate is used", but ACME requests are routed to data centers non-deterministically so it's effectively the same thing. > I expect that there are likely plenty of LE users out there that have > setups where the certificate is dynamically generated, but the > intermediate configured statically. (I know I have such setups myself, > with the expectation that a new intermediate is rare enough and I'll > always learn about it in advance, so I can react manually.) > Also yes, we're very aware of this possibility. This is in fact a large part of why we're making this change: it's a mechanical way of discouraging/preventing intermediate pinning. We went through this recently with the change to the R3 and E1 intermediates, and although some people had to make changes to accommodate the new intermediates, there were relatively few breakages. We expect to handle a similar level of support requests this time, but with the advantage that (in theory) we'll never have to do so again during future intermediate transitions. For what it's worth, the intermediate *shouldn't* need to be configured statically in any ACME setup, since it is provided in the same file as the newly issued certificate itself at the end of issuance. Aaron -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdfKHvFmH%2B-0wvjL5Ohe3rSQR9jU8ykc6w9ikn23uNzFQ%40mail.gmail.com.
