On Tue, Dec 5, 2023 at 4:45 PM 'Aaron Gable' via [email protected] <[email protected]> wrote: > On Tue, Dec 5, 2023, 12:35 Hanno Böck <[email protected]> wrote: >> >> [...] >> I expect that there are likely plenty of LE users out there that have >> setups where the certificate is dynamically generated, but the >> intermediate configured statically. (I know I have such setups myself, >> with the expectation that a new intermediate is rare enough and I'll >> always learn about it in advance, so I can react manually.) > > Also yes, we're very aware of this possibility. This is in fact a large part > of why we're making this change: it's a mechanical way of > discouraging/preventing intermediate pinning.
Key continuity is a much better security property than what key rotation provides. Loss of key continuity exposed Diginotar. Why would LE discourage it? Stepping back, I'm not thrilled LE is trying to set a policy for me. I should make my own policy decisions. > We went through this recently with the change to the R3 and E1 intermediates, > and although some people had to make changes to accommodate the new > intermediates, there were relatively few breakages. We expect to handle a > similar level of support requests this time, but with the advantage that (in > theory) we'll never have to do so again during future intermediate > transitions. What advantages? > For what it's worth, the intermediate *shouldn't* need to be configured > statically in any ACME setup, since it is provided in the same file as the > newly issued certificate itself at the end of issuance. Hmmm... We use Apache, SSLCertificateChainFile and SSLCertificateFile. LE is just creating more work for us. We're a free software project. I guess beggars can't be too choosy... Jeff -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH8yC8k-fVWYur8WOMT%3DjMVTD9bOQvi3%3DtnaNHskM-owR0f5Ag%40mail.gmail.com.
