For example with Postfix, you could selectively disable STARTTLS (with smtpd_discard_ehlo_keyword_address_maps) only for that provider's MTA IP range, so they will be forced to use plaintext, rather than you having to support legacy crypto specifically for them.
3 Likes
well the plan is full availability of ecdsa intermidiates with next run of intermediates and certbot already default to ecdsa, so I think answer likely be "why not ecdsa already?"
4 Likes
That's a lot of work for something that doesn't see much use; smtp over tls on port 587 should get most mta traffic.
2 Likes
another question is: if one doesn't understand ecdsa, how likely it understand pss padding?
looks like golang can't process RSASSA-PSS, crypto/x509: unable to parse certificate with rsassa-pss algorithm · Issue #48314 · golang/go · GitHub is open without any commit attached to it
3 Likes
Actually, I am getting tired of this discussion, but anyway.
Who are you telling? Nobody claimed anything different. See
There are two "if"s in the paragraph above. Yes, some harm must be done before.
Nobody talked about suing LE. Honestly, your post is a straw-man fallacy. You are refuting an argument that has never been made in the first place.
Yes.
No. The end-user has not a claim against LE as a CA. On what ground? Please note, that "users" of LE's services is not end-user, but a service providers which use LE to create certificates for their service (e.g. a web site).
The (potential) problem is as follows, and, yes, there must be some harm in the first place. Let's assume there was a data leak or violation of GDPR or some other kind of "harm". An end-user sues the service provider (not LE) and that service provider has been using certificates issued by LE. Now it turns out the certificates were not up to standard. Then, the end user might have good arguments against the service provider. It is the problem of the service providers to ensure that their IT security measures are up to standard. Hence, as a service provider doing business in Germany, this means the service provider need to reconsider whether LE is the right CA for them. Nobody has a claim against LE, because it is the responsibility of the service provider to choose the right CA.
Besides actual lawsuits (worst case) there also also other aspects. As a service provider one typical has to undergo a lot of audits (e.g. ISO 27001, ..., etc., you name it). Even without any actual harm one has to "prove" that one follows technical standards, recommendations etc., because assurance companies, business partners, etc., are crazy for that stuff. So you (as a service provider, not! end-user) has to show that you are using certificates which meet the required strength. You (as a service provider) can't do that if you using LE as your CA.
1 Like
I don't think LE can make BSI complient RSA certificate anyway: you already said it need PSS padding after 2025: and as boulder id written in golang and it doesn't support PSS padding, and unlike anyone written custom padding that only work for like 5 years and legacy client likely not able to use anyway:
3 Likes
While it seems clear that Let's Encrypt won't prioritize this change just for the theoretical compliance with this directive, it would be very interesting to hear BSI's own view on whether their rules were meant to apply to intermediate certificates this way, and whether they can articulate a security rationale for that.
It might turn out that they want to issue a clarification that (at least in some circumstances) intermediate certificates' signing keys are not expected to be 3072 bits¹, or alternatively that they can explain a threat scenario that might be more convincing to the Let's Encrypt team.
I'd be happy to help write a letter to BSI asking them to consider clarifying these topics if there's any chance that that might be helpful.
¹ A detailed threat model for the interaction with Certificate Transparency, for example, seems like a subtle question.
5 Likes
You could always use other free ACME CAs like Buypass, which (currently) uses a 4096 bits RSA intermediate and a 4096 bits RSA root certificate.
(Or check the others here, I can't check their intermediate/roots as crt.sh is down currently..)
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.