[Cryptography] Apple's 13-month certificate policy
John-Mark Gurney
jmg at funkthat.com
Sun Feb 23 02:00:35 EST 2020
Raymond Burkholder wrote this message on Sat, Feb 22, 2020 at 18:50 -0700:
> On 2020-02-22 4:55 p.m., John-Mark Gurney wrote:
> > Patrick Chkoreff wrote this message on Sat, Feb 22, 2020 at 18:23 -0500:
> >
> > Overall, it's a good thing, and IMO, even 90 days is a bit long. With
> > automated renewal, 7-30 days is more than long enough.
> 7 - 30 days would be painful. Yes some systems do have automation. But
> there are other systems with complicated relationships: a dns server
> over there, a web server over here, and automation/manual system
> somewhere else, ...
>
> And systems protected by certificates aren't just web servers sitting on
> the same server as the dns server for the TXT based authorization.
> There are email servers involved with certificates. No web front end.
Don't need to be sitting on the same server for DNS challenges. w/
TSIG plus dns auth rules, you can configure the dns server to only
allow that specific server access to the TXT records for challenges..
nsupdate works great, and I've migrated all my LE certs over to using
DNS TXT records.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list