Skip to Content.
Sympa Menu

discuss - [opennic-discuss] root certificate

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] root certificate


Chronological Thread  
    < Chronological >       < Thread >
  • From: Erich Eckner <opennic AT eckner.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: [opennic-discuss] root certificate
  • Date: Fri, 7 May 2021 20:06:03 +0200 (CEST)
  • Original-from: Erich Eckner <opennic AT eckner.net>
  • Original-subject: root certificate
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear community,

the root certificate for the acme server is about to expire end of may and I would like to hear some opinions on how we want to proceed with the whole acme project.

Some statistics to support any decision:

Certificates were issued for a total of 29 different domain names under 8 second-level domains. Of those, 21 were my domains (under two second level domains), 8/6 for domains of other openNIC'ers.

Counting only certificates, that are still valid, I see 22 different domain names under 4 different second-level domains. Of those, 20/2 are my own and only 2/2 from others.

Personally, I don't have a problem with maintaining a service, which is only sparsely used by others. But also, I'd like to make the service more appealing, in case there are any obstacles for broader usage.

If you see any problems with how the root ca is currently run/configured, then please let me know and I/we can try to change them.

If you think, the service is good as-is, there's one thing, I'd like to change anyway, namely: Make the root certificate valid for a longer duration. This makes it easier for me to maintain the service and for others to import and use the root certificate.

regards,
Erich

P.S.: I once tried to kick off some CA algorithm which allows to distribute the secret key of the root ca over multiple opennic members, but this seems to be harder than I thought (although theoretically possible) and especially: There seems to be no working implementation for such a scenario yet, which satisfies the requirements we wanted (which are written down in the wiki, which gives me a timeout, currently).

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmCVgY0ACgkQCu7JB1Xa
e1pH/A/+MZYhwkjQsgCwIoukKMf3H2iynZ3P5Flxuk+mX10WTwUR0QUbBYCt3MQQ
NLkTv/IHuc8HnXf+d9K0T33F578kJaRClC96CX4fubZiopllbmPHFF8yPp2QvlNb
ueZ2BEXlKOejMvEvkV7htQQWB/QZzVBPDjYhM9Rg1AbP3zwvcF3JCKShDSAwSwku
as7Ni+d4Pmur8FNMtcjPrKpIkedI/6TpDL5IWY5ljWCvPXUnpANyddYU+zjnwJR7
/EwBhbML9lCL1kPTnn8ELyhONTiVjfO3wjVez1m/tQoUEP0E0PiVPU/JZstkgyC2
E7TZHfk5N9F+cFcM3JwjWxXfJ1ZrhMyXOg1ThDJTxCjYuVbnnzHp9Q8og1BU9YVe
Cm6nRowZ1tFn3IWiN/DTgq8TEVwHS6CkKUReCipsyQbRw7+vRWEFZU7S51BgtXPO
Humkc7AvTP0tdAau9z9NFDscYCHODOFo7MO3BA3QVolNYIdwpJoq9LMBlZ9SfVIm
tE/2qVtDTqgRbC3/Uhb4pQn7iW4bZYxEv/er/ObTuVmjVom7WC22J3vrH5VNtN2c
shqct7KrIxWaytT8PK58hPn9VzaA/M/EuiSDjZiee85sVPDX96g6ijFYU0c77QhG
v1Tb8txS0AdwGo7D9g2cRsPHXTxOM+1SQOoaYNumSyGhopejN4Y=
=ENPq
-----END PGP SIGNATURE-----

  • [opennic-discuss] root certificate, Erich Eckner, 05/07/2021

Archive powered by MHonArc 2.6.24.

Top of Page