On Fri, Dec 08, 2023 at 02:00:55PM -0500, Viktor Dukhovni via Postfix-users <postfix-users@postfix.org> wrote:
> My previous post on this topic noted that covered Let's Encrypt are > planning to *randomise* the choice of intermediate issuer CA used with > each renewal. > > It now turns out that they will also be switching to new underlying > intermediate CAs. So you'll a random choice of *new* issuers. > > > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/m/k_vdk9rQAwAJ > > - We will be generating 5 RSA and 5 ECDSA intermediates, instead of 2 > each. We plan to automatically rotate issuance between multiple > intermediates for improved redundancy. > > - We will be shortening their validity period from 5 years to 3 years, > to reflect our commitment to issue new intermediates every 2 years. > > So anyone relying on DANE-TA(2) (certificate usage 2) needs to closely > watch for upcoming announcements from LE, and be prepared to add TLSA > records for the new intemediates soon. Or stop playing their game, and > switch to a robust "3 1 1" + "3 1 1" model with a stable by default > key during certificate renewals. > > -- > Viktor. You know it makes sense. cheers, raf _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
