This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] SSL Certificates for ripe anchors
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jóhann B. Guðmundsson
johannbg at gmail.com
Fri Aug 30 15:14:41 CEST 2019
On 8/30/19 10:07 AM, Robert Kisteleki wrote: > On 2019-08-22 10:30, Jóhann B. Guðmundsson wrote: >> Hi >> >> >> Has there been any dialog about moving the anchors away from using self >> signed certificates to Let's Encrypt? >> >> >> Regards >> >> Jóhann B. > Hello, > > I believe there was no elaborate discussion about this so far. We do > have TLSA records for all anchors which could be of help depending on > what you want to achieve. What I'm trying to achieve is that ripe's anchors in data centers follow the latest security practices and standards, which require among other things a valid certificate issuer and associated CAA record for *.anchors.atlas.ripe.net anchors be it from Let's encrypt or Digicert, ripe's current certificate issuer Using a self signed certificate in today's age act's as an indicator that the security on the device or server in use might be in question ( if you cant even have an valid certificate issuer on the device or server when it's free, what other things are you skipping on, underlying OS and library updates, coding practices etc. ) and thus can negatively impact the anchor hosting provider security grade, which may lead to anchors having to be removed from data centers to prevent them from negatively affect corporation's security ratings. If money was the issue why the anchors got deployed with self signed certificates to begin with, that's not an issue anymore and probably the community can just get rid of Digicert and actually save money or use that money for lottery or beer on ripe event(s) . ;) Regards Jóhann B.
- Previous message (by thread): [atlas] SSL Certificates for ripe anchors
- Next message (by thread): [atlas] SSL Certificates for ripe anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]