[atlas] SSL Certificates for ripe anchors

On 8/30/19 10:07 AM, Robert Kisteleki wrote:
> On 2019-08-22 10:30, Jóhann B. Guðmundsson wrote:
>> Hi
>>
>>
>> Has there been any dialog about moving the anchors away from using self
>> signed certificates to Let's Encrypt?
>>
>>
>> Regards
>>
>>              Jóhann B.
> Hello,
>
> I believe there was no elaborate discussion about this so far. We do
> have TLSA records for all anchors which could be of help depending on
> what you want to achieve.


What I'm trying to achieve is that ripe's anchors in data centers follow 
the latest security practices and standards, which require among other 
things a valid certificate issuer and associated CAA record for 
*.anchors.atlas.ripe.net anchors be it from Let's encrypt or Digicert, 
ripe's current certificate issuer

Using a self signed certificate in today's age act's as an indicator 
that the security on the device or server in use might be in question ( 
if you cant even have an valid certificate issuer on the device or 
server when it's free, what other things are you skipping on, underlying 
OS and library updates, coding practices etc. ) and thus can negatively 
impact the anchor hosting provider security grade, which may lead to 
anchors having to be removed from data centers to prevent them from 
negatively affect corporation's security ratings.

If money was the issue why the anchors got deployed with self signed 
certificates to begin with, that's not an issue anymore and probably the 
community can just get rid of Digicert and actually save money or use 
that money for lottery or beer on ripe event(s) .  ;)


Regards

              Jóhann B.