nanog mailing list archives

Re: PKI operators anyone?

From: John Curran <jcurran () mail com>
Date: Wed, 5 Sep 2007 10:27:32 -0400


At 10:06 AM -0400 9/5/07, Joe Maimon wrote:


80 years for the root, 4096bit key
35 years for the policy, 4096bit key
15 years for the issuing, ?bit key
<=5 years for the issued certificates.

Good idea? Bad Idea? Comments?


Joe -
 
  What's the implications of a single issued certificate being
  cracked, and again for one of the root/policy/issuing set?

  There's quite a bit of speedy hardware out there today
  (particularly if you count things like repurposed video
  processors) and 5 years is a *very* long time in our
  industry.   You can actually hunt down the CPS for
  most public CA's, and I think you'll find that they put
  up with the "loads of fun every 11 months or so..."
 
  However, for them the implications of a compromised
  issued cert is potential customer liability, and for an
  the issuing certificate or above is basically loss of their
  confidence in their entire business of being a CA.  You
  have to assess the implications based on the expected
  certificate use for your CA.

Hope this helps,
/John

Current thread:

PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
  - Re: PKI operators anyone? Joe Maimon (Sep 05)
    - Re: PKI operators anyone? John Curran (Sep 05)
    - Re: PKI operators anyone? Sean Donelan (Sep 05)
    - Re: PKI operators anyone? John Curran (Sep 05)
    - Re: PKI operators anyone? Valdis . Kletnieks (Sep 05)
    - Re: PKI operators anyone? Chris Marlatt (Sep 05)
    - Re: PKI operators anyone? Sean Donelan (Sep 05)
    - Re: PKI operators anyone? bmanning (Sep 06)
    - Re: PKI operators anyone? Joel Jaeggli (Sep 06)
- RE: PKI operators anyone? Erik Amundson (Sep 05)

(Thread continues...)