Hello, > hosted on various machines run by different people. I'm not sure if > there's any viable way to handle keys and certificates for this type > of situation.
-->> ############################################################### letsencrypt: Can one domain have multiple servers controlled by different entities Yes, but there will need to be some coordination for getting the SSL certificates How can the coordination work (depends on the ACME challenge used) HTTP Working together Whenever one of the 2 hosts wants to renew a cert they would need to deploy a .well_known file to both servers, so that no matter which one letsencrypt access they get the right file. Centralised You can run an additional server, which both parties can push files to, and have both servers redirect any requests for .well_known to this server DNS Full access Either of the 2 hosts would need to be able to add DNS records to pass the checks Custom API An API can be setup so that the 2 hosts can submit an ACME response and have it served Limiting impact of breaches As the servers need to be able to generate SSL certificates if they are breached they will be able to generate certs. Using Must-Staple ( https://scotthelme.co.uk/ocsp-must-staple/ ) the impact of current certs leaking can be reduced, but this will not help if the host is instructed to make new certs without this after generation. Using CT logs you can watch for invalid certs, and using CAA you can limit which CAs will issue certs, which will help reduce the breach impact. You could even use CAA to disable certs entirely, and only allow issuance by contacting you and manually removing the record until the cert has been issued, reducing your attack window, but increasing the management overhead. ############################################################### > Sent: Monday, January 15, 2018 at 1:37 PM > From: "Stuart Henderson" <s...@spacehopper.org> > To: misc@openbsd.org > Subject: Re: OpenBSD !HTTPS websites - why? > > On 2018-01-15, who one <whoonet...@mail.com> wrote: > > Hello, > > > > http://www.openbsdfoundation.org/ > > http://firmware.openbsd.org/firmware/ > > > > When can we have HTTPS connection on these websites? > > > > What website remains that doesn't have HTTPS yet and related to OpenBSD? > > > > Security should be in layers, HTTPS is one additional layer. > > > > 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ > > , see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD > > is security oriented, HTTPS should be de facto. > > > > Many thanks. > > > > > > I can't speak for openbsdfoundation, but for firmware.openbsd.org it's > hosted on various machines run by different people. I'm not sure if > there's any viable way to handle keys and certificates for this type > of situation. > > Firmware packages do have signify(1) signatures themselves. These > are verified early - before passing to gzip to decompress them. > However there is a remaining issue that a MITM could suppress > certain packages, or provide older signed versions. > > >