This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[atlas] SSL Certificates for ripe anchors

Previous message (by thread): [atlas] SSL Certificates for ripe anchors
Next message (by thread): [atlas] SSL Certificates for ripe anchors

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Robert Kisteleki robert at ripe.net
Tue Sep 3 11:38:33 CEST 2019

On 2019-09-03 11:17, Shane Kerr wrote:
> Robert,
> 
> On 03/09/2019 09.57, Robert Kisteleki wrote:
>>
>>> Still no one has answered why ripe is using self signed certs for anchor
>>> when they can use let's encrypt for free...
>>
>> TL;DR if the community prefers it we use LE (+TLSA).
>>
>> This comes with the expense of some one-time and ongoing operational
>> work. Considering that anchors don't host any sensitive information,
>> using self-signed certs (+TLSA) was so far considered good enough.
> 
> Sorry for asking this question so late in this thread, but what exactly
> are the certificates used for?

The anchors provide very basic services intended to help users who want
to use the anchors as measurement targets. They answer incoming ping,
DNS and HTTP(S) queries (see https://atlas.ripe.net/docs/anchors/). The
HTTP(S) service can respond with pages of various sizes which is
intended to help PMTUD tests for example.

It's possible that someone would want to check the TLS certificate of
the measured anchor, in which case a "proper" certificate may come handy.

Regards,
Robert

Previous message (by thread): [atlas] SSL Certificates for ripe anchors
Next message (by thread): [atlas] SSL Certificates for ripe anchors

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ripe-atlas Archives ]