Sujet : Re: 6-day TLS certificates from Let's Encrypt
De : invalid (at) *nospam* invalid.invalid (Richard Kettlewell)
Groupes : comp.miscDate : 13. Dec 2024, 00:28:32
Autres entêtes
Organisation : terraraq NNTP server
Message-ID : <wwvo71gpjkv.fsf@LkoBDZeT.terraraq.uk>
References : 1 2 3 4 5 6
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Broseki <
broseki@whitetail.is> writes:
That is an interesting point; I wonder how much load they are really
seeing; the certs I have set to 2 days are all for corporate internal
CAs using ACME not Let's Encrypt, my LE certs are still the default
(30 days now?). I also wonder if they have any sort of crypto
acceleration going on in the backend to make what I assume to be
massive amounts of requests flow smoothly.
They are using donated Hardware Security Modules (or were in 2021).
https://letsencrypt.org/2021/02/10/200m-certs-24hrs/#hsm-performanceHSMs do often include some kind of crypto accelerator rather than using
their main CPU. However the need for an HSM in this particular context
is not about performance as such (although of course they do need to
satisfy the service’s performance requirements); it’s about protecting
the signing key. See s6.2.7 of:
https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.1.pdfThe analysis in the blog post is about the cost of re-signing everything
during disaster recovery. If the 200M total certificates figure is
still approximately right then renewing every 6 days is under 400TPS.
Even with 100%+ growth in the intervening years a single HSM is not
going to much trouble keeping up.
-- https://www.greenend.org.uk/rjk/
6-day TLS certificates from Let's Encrypt
Re: 6-day TLS certificates from Let's Encrypt