(letsencrypt.org)

197 points SGran | 3 comments | 16 Jan 25 15:36 UTC | HN request time: 0s | source

Show context

likeabatterycar ◴[16 Jan 25 18:42 UTC] No.42729159[source]▶

> Our six-day certificates will not include OCSP or CRL URLs.

If someone else did this, Mozilla would be threatening to remove them from their trusted roots.

IP address certs sound like a security nightmare that could be subverted by BGP hijacking. Which is why most CAs don't issue them. Does accessing the ACME challenge from multiple endpoints adequately prevent this type of attack?

replies(3): >>42729196 #>>42729493 #>>42730032 #

1. samcat116 ◴[16 Jan 25 19:08 UTC] No.42729493[source]▶

>>42729159 #

I wonder if they could mandate that IP address certs could only be issued for IPs owned by an AS that has RPKI enabled.

replies(1): >>42729563 #

2. EQYV ◴[16 Jan 25 19:13 UTC] No.42729563[source]▶

>>42729493 (TP) #

Last I read, RPKI data gets stripped if it passes through an AS that doesn’t support it.. Has that changed?

replies(1): >>42729721 #

3. NewJazz ◴[16 Jan 25 19:26 UTC] No.42729721[source]▶

>>42729563 #

Uh, not that I know of. You typically run your own validator and configure your router to use it if you care.

↑

Six day and IP address certificate options in 2025