Discuss mailing list

[Rouben <rouben AT rouben.net>]

Hi,

Since you bring up TOFU (Trust On First Use), I wanted to also chime in on the whole TLS cert situation.

I think some things have changed since we last looked at it.

1. There are more ACME service (not just client) implementations available than before. For example, Smallstep CA seems like an easier to manage implementation that Let’s Encrypt’s boulder: 

https://smallstep.com/certificates/

2. As part of implementing a DNS change, we could ask our users to also import our root certs.

3. If we use ACME, we can set things up as follows (rough sketch, just off the top of my head):

a) root cert - private key on a restricted machine or the CA operator’s hardware token like a YubiKey. The public key/self-signed cert for this one is published on opennic site and is what we ask our users to trust when they deploy our DNS

b) intermediate - valid for 6 months, needs to be semi-automatically renewed (resigned) by (a) - CA operator does this with their hardware token/Yubikey on a secure, dedicated, offline machine.

c) client certs - valid for 1-3 months, requested and issued exclusively through ACME protocol, signed by (b). Private key for (b) lives on ACME server.

What are your thoughts?

Rouben

On Fri, May 22, 2020 at 06:01 Erich Eckner <opennic AT eckner.net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I know, that creating properly trusted ssl certificates for opennic
domains is (currently) impossible. But I'd still like to urge the operator
of reg.libre to add the reg.libre vhost backend also on https (on any
certificate). Because, currently, one is forced to use http://reg.libre,
because https://reg.libre brings up the content from a different vhost
(after ignoring to the unavoidable certificate warning/error).

I think, using https with a broken certificate is still safer than using
no https at all - it withstands passive eavesdropping, and also one can
use tofu to pin the certificate after first use.

btw: This might be true for other sites within opennic's namespace, so
maybe everyone running sites which handle secret data (e.g. login
credentials) may want to check their config too :-)

cheers,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7Hos4ACgkQCu7JB1Xa
e1q43w//TcAlrpHK6oiIyGsJMYbqt09vCYJlHNEKPDORllGqWsM9z349rO6GtJLo
JQKevfO+xUSVC1SfK7v+KtnFHKjzybId1lV2Zh9PzYTIJn9Z1ix/xFwfkgpYhY7Y
YRtDfCoNBA5Z70qXzlSBm7Qx1FARwskdu4VCbQhyCKgYPjWEiJPxANUwuattUBqC
U2OamleBSRPqCdkxFiX3sNmljzuug1Vxbu+N90qLcnA4TIDeUVZS6D5JaP05+UCh
oY333+oU2CEymY85YncIRbvf1hu2MPg1bwrwjYU7lQkSXrSTT48jjwwduzeobiO6
aUPA7403iWTBQex2b+MsriJWJ4XwldbPM2keFUwzORm2QJ5cUdxMftblCc88P/Bn
p9ch6Pv8CnO6djndPiK4yvz3PJNb5xFURJttknjsy0Vy+Jiw7AlUwJ4Dvt49zdj5
96SdM80wleL9JDjreXi9W0w/DjCTIHHFrt3greYTc7nb1bFtQ3Xanf8DBOD8YwPX
rUHS68MORsbc8+5wN0ZQSOv2/y2x6X9a4rbCqwTQQMzs5WEfUsMwWd+w0fxf+RFe
Hsi9ucXEoVuT24R6eTXZWTuUlCgSpTeRHzku9t2l6DfycvZGeXzQh/bQoDnCBenu
m2M/TDOia1EaTgngqzOqdg523MUXyyaPD3TFtCkbc2Gn7s7EAxg=
=/ldp
-----END PGP SIGNATURE-----


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--

Rouben