[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Viktor Dukhovni
cryptography at dukhovni.org
Sat Apr 19 00:10:13 EDT 2025
On Fri, Apr 18, 2025 at 07:48:21PM -0700, Christian Huitema wrote:
> Maybe the design of HPKP was flawed. Certificates tie domain, certificate
> authority, key and date. One could imagine a different HPKP that tied domain
> and certificate authority, which would limit the attack surface but would
> probably introduce its own set of issue. One could imagine having the new
> keys certified by the previous keys, but that would not be too good if the
> previous key was stolen. Someone smarter than me might come up with a design
> that solve all these issues...
Such generalisations of HPKP are just reinventing DANE badly.
With certificate lifetimes shrinking, users of Let's Encrypt who are
also publishing DANE TLSA records (for SMTP) will need to have better
rollover processes in place, because updating the DNS shortly after
initially breaking the extant TLSA record becomes more brittle once
this happens more frequently. There are much better ways of handling
it, but some don't yet have the correct automation in place.
I am tracking ~4.2 million DANE SMTP domains with working DANE TLSA
records. Of these, 1.7 million have DANE-enabled MX hosts with Encrypt
certificates.
I am also tracking, ~3500 domains with at least one MX host whose
certificate chain fails to match its TLSA records, and Let's Encrypt
certs are used in 2911 of these cases. So there's a clear
over-represetnation of Let's Encrypt issued certs among the small
fraction of domains that are struggling to get the rollover process
right. They'll have more problems as the rollover window shrinks, some
might improve their automation, the rest may be broken more of the time.
--
Viktor.
More information about the cryptography
mailing list