Home » Posts tagged "ca" (Page 2)

Amazon Route 53 支援 CAA record 了

Amazon Route 53 宣佈支援 CAA record 了:「Announcement: Announcement: Amazon Route 53 now supports CAA records」、「Amazon Route 53 now supports CAA records」。

這是一個被動性的 workaround,要求 CA 本身要支援 DNS CAA,所以他沒辦法防止 CA 本身作惡誤簽,但因為負作用與技術債的可能性不高,在 CA/Browser Forum 上被通過強制要求支援了。(參考「未來 CA 將會強制要求檢查 DNS CAA record」)

Gandi 的 DNS 服務也支援了 (要透過 export mode,參考「How can I add a CAA record?」),不過 Linode 還沒做...

Amazon Route 53 將會加緊支援 DNS CAA

看到 Amazon Route 53 要支援 DNS CAA 的消息:「Announcement: Announcement: CAA Record Support Coming Soon」。

裡面有提到 CA/Browser Forum 的決議,要求各瀏覽器支援 DNS CAA:

On March 8, 2017, the Certification Authority and Browser Forum (CA/Browser Forum) mandated that by September 8, 2017, CA’s are expected to check for the presence of a CAA DNS record and, if present, refuse issuance of certificates unless they find themselves on the whitelist <https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/>.

DNS CAA 可以設定哪些 SSL certificate 可以發出你的證書,除了自己以外,也可以讓第三者比較容易確認是否有誤發的行為:

We have seen a lot of interest in Amazon Route 53 support for Certification Authority Authorization (CAA) records, which let you control which certificate authorities (CA) can issue certificates for your domain name.

Google Chrome 對 WoSign 與 StartCom 的白名單要完全移除了

Twitter 上看到的:

WoSignStartCom 的移除會發生在 61 版,而依照「Final removal of trust in WoSign and StartCom Certificates」這邊的說明,stable 應該會在九月出 61 版而生效:

Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.

Let's Encrypt 決定要規劃 Wildcard SSL Certificate 了

Let's Encrypt 把時間表喊出來了,預定在 2018 年年初開放使用:「Wildcard Certificates Coming January 2018」。

Wildcard SSL Certificate 會需要走新的 ACME v2 協定認證:

Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time.

跟前陣子提到的「ACME v2 API Endpoint Coming January 2018」是相同的時間。


IE 與 Edge 推出更新,阻擋 SHA-1 憑證

微軟這幾天推出更新,IEEdge 將不會接受 SHA-1 憑證:「Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge」。微軟的公告則是在「Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11」這邊。

根憑證不受影響 (所以企業自己產生的 Root CA 也不受影響):

Beginning May 9, 2017, Microsoft released updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates.

未來 CA 將會強制要求檢查 DNS CAA record

CA/Browser 通過提案,要求以後 CA 單位都要檢查 DNS CAA record 才能發放憑證 (RFC 6844 的「DNS Certification Authority Authorization (CAA) Resource Record」):「Ballot 187 - Make CAA Checking Mandatory」。

Certificate Authority Authorization (CAA) is a DNS Resource Record defined in RFC 6844 – https://datatracker.ietf.org/doc/rfc6844/ , published in January 2013. It allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.

透過 DNS CAA 資料,你可以限制只有誰可以發你的憑證,直接用白名單做控管。

未來 SSL Certificate 的最大有效時間將降到 825 天

CA/Browser Forum 通過了這項提案,將 SSL Certificate 的最大有效時間降到 825 天 (大約 27 個月):「Ballot 193 - 825-day Certificate Lifetimes」。

所以將會從本來的 39 個月降到 27 個月左右,所以現在買得到最長的 certificate 會有 3 年,以後會有 2 年:

Recent Ballot 185 demonstrated a consensus among Forum members to reduce the maximum lifetime for DV and OV certificates from 39 months to 825 days (roughly 27 months). This ballot reflects that consensus, and also reduces the maximum period for reuse of vetting data for DV and OV certificates from 39 months to 27 months.

Firefox 下一個版本 (52) 將預設關閉 SHA-1 支援

順著 SHA-1 正式被打穿,Mozilla 也正式宣佈從下一個版本的 Firefox 將完全關閉 SHA-1 支援 (看敘述應該還是可以透過 about:config 開):「The end of SHA-1 on the Public Web」。

As announced last fall, we’ve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow, this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52.


dehydrated 0.4.0 的新要求

dehydrated 出 0.4.0 了,剛剛把 PPA for dehydrated 更新了,已經安裝過的使用者可以直接升級使用。

這次主要的改變在於建立帳號時必須先同意 Let's Encrypt 的使用條款:

dehydrated now asks you to read and accept the CAs terms of service before creating an account

這邊可以用 dehydrated --register --accept-terms 表示同意並且建立帳號。