Enhancement #461
open
Prepare TLSA rollover tools
0%
Description
Currently tools are able to publish TLSA, but this does not allow rollovers.
We need to upgrade the process/script to publish the new records while keeping the previous records a certain time. Which means we need to memoize when it was published, and have some automated way of removing the old one.
In this process we need to pre-publish, which means install the new certificate later. So we need to act in advance before the previous one expire.
Updated by Marc Dequènes almost 7 years ago
- Priority changed from High to Normal
- https://bugs.chromium.org/p/chromium/issues/detail?id=50874
- https://bugzilla.mozilla.org/show_bug.cgi?id=672600
So maybe some hope in the MOSS project for Firefox, but not for today.
I'm then lowering the priority of this BR.
Updated by Marc Dequènes over 4 years ago
- Related to Enhancement #675: Publish DANE/TLSA records for Let's Encrypt generated certs added
Updated by Marc Dequènes over 4 years ago
For information: https://bugzilla.mozilla.org/show_bug.cgi?id=672600
Updated by Marc Dequènes over 4 years ago
- Priority changed from Normal to Low
We had some DuckCorp-CA generated TLSA RRs of 1 hour TTL in the past and it did not cause any problem. We currently rely on a very small 5 min TTL for TLSA RRs generated from LE so it should even reduce potential problems.
I'm keeping this BR around for future improvement when the tooling is more developed but lowering the priority.