also sprach Viktor Dukhovni <postfix-us...@dukhovni.org> [2017-09-18 22:39 +0200]: > > No, they're all managed centrally and pushed regularly. > > So, though this is not your best option, you can centrally capture > the updated fingerprints and automate their deployment (along with > the most recent previous fingerprint to avoid race conditions).
In fact, there are three options right now:
a/ collect and deploy the fingerprints, as you say
b/ use a self-signed certificate with life-time 99 years just for
this purpose
c/ use public key fingerprints instead of the cert fingerprints
I think (a) is really just ungood. I just implemented (c), which was
trivial and solves the problem. Thanks also to Daniel Kahn Gilmor
for the vital hint that made me realise Postfix 2.9 supports this.
Long-term, I think I might want to look into (b) though. I like the
idea of having a single certificate ("identity") of a host, that
then gets used in its various facets, but that's actually probably
not good security advice anyway.
> > At the moment, I have to assume, however, that LE wouldn't actually
> > care if I requested a cert renewal with a http-01 when I've used
> > dns-01 in the past.
>
> I'd also be curious to know the answer to that. Please follow-up
> if you find out. I'm sure that enough folks here use LE certs to
> justify a slightly off-topic post.
I'll put this in my tickler file for 30 days from now.
> All that said, the case for submission based on CA authenticated
> key -> name bindings is not looking too strong. This is not going
> to have a significant priority unless a more compelling use-case
> shows up.
Yeah, makes sense. Thanks for your patience!
--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
"computer science is no more about computers
than astronomy is about telescopes."
-- edsgar w. dijkstra
spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
