[atlas] SSL Certificates for ripe anchors

> On 3 Sep 2019, at 11:38, Robert Kisteleki wrote:

> On 2019-09-03 11:17, Shane Kerr wrote:
>> …
>> Sorry for asking this question so late in this thread, but what 
>> exactly
>> are the certificates used for?
>
> The anchors provide very basic services intended to help users who 
> want
> to use the anchors as measurement targets. They answer incoming ping,
> DNS and HTTP(S) queries (see https://atlas.ripe.net/docs/anchors/). 
> The
> HTTP(S) service can respond with pages of various sizes which is
> intended to help PMTUD tests for example.
>
> It's possible that someone would want to check the TLS certificate of
> the measured anchor, in which case a "proper" certificate may come 
> handy.
>
> Regards,
> Robert

Going back to Jóhann, who brought this up:

“Using a self signed certificate in today's age act's as an indicator 
that the security on the device or server in use might be in question 
… and thus can negatively impact the anchor hosting provider security 
grade, which may lead to anchors having to be removed from data centers 
to prevent them from negatively affect corporation's security 
ratings.”

So we have devices that expose the https port and respond with a self 
signed cert. Any security audit will flag that. Rather than explain to 
the auditors that there is no ‘real’ http service here, it is a 
measurement device, … Jóhann suggests to put an acceptably signed 
cert there. To me this sounds like a no-brainer to make life easier for 
anchor hosts and not an ideological issue about which CA to use or about 
other methods of securing https. So can we deploy certs that will 
satisfy the security audit and get on with life?

Daniel