Hello,
> hosted on various machines run by different people. I'm not sure if
> there's any viable way to handle keys and certificates for this type
> of situation.
-->>
###############################################################
letsencrypt:
Can one domain have multiple servers controlled by different entities
Yes, but there will need to be some coordination for getting the SSL
certificates
How can the coordination work (depends on the ACME challenge used)
HTTP
Working together
Whenever one of the 2 hosts wants to renew a cert they would need to
deploy a .well_known file to both servers, so that no matter which one
letsencrypt access they get the right file.
Centralised
You can run an additional server, which both parties can push files to,
and have both servers redirect any requests for .well_known to this server
DNS
Full access
Either of the 2 hosts would need to be able to add DNS records to pass
the checks
Custom API
An API can be setup so that the 2 hosts can submit an ACME response and
have it served
Limiting impact of breaches
As the servers need to be able to generate SSL certificates if they are
breached they will be able to generate certs.
Using Must-Staple ( https://scotthelme.co.uk/ocsp-must-staple/ ) the impact of
current certs leaking can be reduced, but this will not help if the host is
instructed to make new certs without this after generation.
Using CT logs you can watch for invalid certs, and using CAA you can limit
which CAs will issue certs, which will help reduce the breach impact.
You could even use CAA to disable certs entirely, and only allow issuance by
contacting you and manually removing the record until the cert has been issued,
reducing your attack window, but increasing the management overhead.
###############################################################
> Sent: Monday, January 15, 2018 at 1:37 PM
> From: "Stuart Henderson" <[email protected]>
> To: [email protected]
> Subject: Re: OpenBSD !HTTPS websites - why?
>
> On 2018-01-15, who one <[email protected]> wrote:
> > Hello,
> >
> > http://www.openbsdfoundation.org/
> > http://firmware.openbsd.org/firmware/
> >
> > When can we have HTTPS connection on these websites?
> >
> > What website remains that doesn't have HTTPS yet and related to OpenBSD?
> >
> > Security should be in layers, HTTPS is one additional layer.
> >
> > 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/
> > , see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD
> > is security oriented, HTTPS should be de facto.
> >
> > Many thanks.
> >
> >
>
> I can't speak for openbsdfoundation, but for firmware.openbsd.org it's
> hosted on various machines run by different people. I'm not sure if
> there's any viable way to handle keys and certificates for this type
> of situation.
>
> Firmware packages do have signify(1) signatures themselves. These
> are verified early - before passing to gzip to decompress them.
> However there is a remaining issue that a MITM could suppress
> certain packages, or provide older signed versions.
>
>
>
