PKI¶

Self-Signed CAs¶

Current Status¶

These self-signed Cas are in use in DC's infrastruture:

• duckcorp : the main CA, we plan to continue using it for non-user-facing services
• duckcorp-backup : used for our backup software to secure TLS communications
• duckcorp-monitoring : used for our monitoring software to secure TLS communications

The duckcorp-backup and duckcorp-monitoring CAs could have been sub-CAs but our tool does not support it.

We use mkcert manually to generate and renew certificates. It can be run in place in our infra repository, as described in source:README.md.

Let's Encrypt¶

Current Status¶

All user facing services are using Let's Encrypt or soon are (#676).

TODO: more technical details

DANE¶

DANE is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using DNSSEC.

Current Status¶

Our zones are DNSSEC secured and we publish DANE-EE TLSA DNS records for the leaf certificates.

Services supporting DANE (or WIP):

• Postfix
• Web vhosts do not have a TLSA record yet, but this is coming (#675).

Checking DANE¶

The danetls tool is not packaged but there is a web service called danecheck by the same author.

DANE adoption¶

These are just notes to check on DANE adoption in various client software.

• HTTPS: plugins for majors browsers were developed and abandoned because necessary API support in the browsers vanished and there is no replacement
• SMTP: seems to have gained traction, suggested by the various checkers, Postfix supports it and we support it (see Mail)
• IMAP/POP3: Thunderbird integration was refused because it needs to be integrated in Firefox core first, but the Firefox integration does not seem to go anywhere
• IRC: Weechat integration is not making much progress despite a patch being available
• XMPP-c2s: ???
• XMPP-s2s: Prodosy has an experimental module but it is unmaintained and supposed to crash sometimes (according to the known issues)