- Why it's acceptable for Let's Encrypt's root to be sha-1 signed and why root certificates are exempt from SHA1 sunsetting: https://community.letsencrypt.org/t/sha-1-signed-certificate-in-chain/24897/2
- Currently Let’s Encrypt only signs end-entity certificates with RSA intermediates. Let’s Encrypt will generate an ECDSA root and intermediates [in the future] which can be used to sign end-entity certificates [ref].
- The benefit of an ECDSA authentication key (over RSA) is speed.
- RSA don't scale very well as you increase bit size compared to ECDSA [ref: Section 1.1]
- You should only support suites that use ECDHE and DHE as they offer Perfect Forward Secrecy. How to read a cipher suite [ref]:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --------------------------------------- TLS - the protocol used ECDHE - the key exchange mechanism ECDSA - the algorithm of the authentication key AES - the symmetric encryption algorithm 128 - the key size of the above GCM - the mode of the above SHA256 - the MAC used by the algorithm
Last active
February 4, 2018 00:22
-
-
Save nickscript0/9790370cd80f915cdd0d8c97b579d773 to your computer and use it in GitHub Desktop.
Let's Encrypt Cert and Key Security information
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment