My calendar is full 10 years from now
Take a look at this wonderful example of foresightedness (or hubris).
In a little over ten years, Let’s Encrypt root certificates are going to expire. There are already established procedures for how to handle this from other Certificate Authorities, and I assume that there will be a well-communicated plan for this in advance.
That said, I’m writing this blog post primarily because I want to put the URL in the notes for the meeting above. Because in 10 years, I’m pretty certain that I won’t be able to recall why this is such a concerning event for us.
RavenDB uses certificates for authentication, usually generated via Let’s Encrypt. Since those certificates expire every 3 months, they are continuously replaced. When we talk about trust between different RavenDB instances, that can cause a problem. If the certificate changes every 3 months, how can I trust it?
RavenDB trusts a certificate directly, as well as any later version of that certificate assuming that the leaf certificate has the same key and that they have at least one shared signer. That is to handle the scenario where you replace the intermediate certificate (you can go up to the root certificate for trust at that point).
Depending on the exact manner in which the root certificate will be replaced, we need to verify that RavenDB is properly handling this update process. This meeting is set for over a year before the due date, which should give us more than enough time to handle this.
Right now, if they are using the same key on the new root certificate, it will just work as expected. If they opt for cross-singing with another root certificate, we need to ensure that we can verify the signatures on both chains. That is hard to plan for because things change.
In short, future Oren, be sure to double-check this in time.
Comments
Thanks for very early heads up! I was not thinking about Let's Encrypt. I was only thinking about the famous Year 2038 problem: https://en.m.wikipedia.org/wiki/Year_2038_problem
Мy brother suggdsted Ӏ mіght lke thіs weeb site. He was toyally гight. Thiis post аctually maⅾe mmy day. Υou cann't imagine simply hoѡ mᥙch time I had spent fоr this infoгmation! Tһanks!
Thank you, I've recently been looking for info approximately this topic for a long time and yours is the greatest I've discovered so far. However, what about the bottom line? Are you sure about the supply?
Ꮋi there friends, nice ρost and good arguments commented here, I aam іn fact enjoying by these.
Comment preview