Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

> > I am not sure what Kyle means by "encryption hides attacks". Interfaces designed for humans are frequent targets for attack. Network monitoring tools are incredibly helpful for identifying compromised machines, bots, and humans trying to bust in. So yes, encryption does hide attack activity

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

PS: If one single server (or group of identical servers, horizontally scaled) needs to respond to multiple hostnames, I would use a single SAN cert with multiple hostnames. If multiple entirely different servers just happen to be different *. university.edu -- I would not use a SAN cert or a

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

There's no reason you _need_ to use a wildcard cert for many hosts. You can use a separate cert for each. The reason people prefer a wildcard cert is because it was a pain to _get_ and keep track of all those certs. letsencrypt archicture encourages you to just do that. The certs are

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

for Libraries [mailto:CODE4LIB@LISTS.CLIR.ORG] On Behalf Of William Denton Sent: Monday, June 19, 2017 1:57 PM To: CODE4LIB@LISTS.CLIR.ORG Subject: Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates? On 18 June 2017, Jonathan Rochkind wrote: > I'm actually hav

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

I almost wrote it wouldn't work, but what works always depends on the particulars of your situation. For example, depending on how many domains you need and what mechanisms you're using, you might be able to use Subject Alternative Name (SAN) certificates to mitigate the lack of a wildcard

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

In my experience, it has become very easy to setup renewal. It has gotten easier with every release. Cary On Mon, Jun 19, 2017 at 7:55 AM Kyle Breneman wrote: > Thanks for chiming in, Kyle. I think, in your second-to-last sentence, you > were about to say

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

Here's a thread about per-TLD rate limits being a problem for universities; it seems per a post at the end of that thread that letsencrypt might exempt your institution from ratelimits, but an official agent of the university needs to submit the request:

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

Thanks for that detailed and interesting reply, Jonathan. On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind wrote: > Just to clarify, by "Commercial certificates offer stronger proof of > identity", you mean an "Extended Validation" (EV) certificate. >

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

Just to clarify, by "Commercial certificates offer stronger proof of identity", you mean an "Extended Validation" (EV) certificate. https://en.wikipedia.org/wiki/Extended_Validation_Certificate If you are getting a 'commercial certificate' that is a standard 'domain validated' cert instead of an

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

We are starting to roll out LetsEncrypt for all of our services and clients who do not use or want commercial certificates. Note that LetsEncrypt offers only domain authentication, in most cases specifically validated by your control of the server. Commercial certificates offer stronger proof