nanog mailing list archives
Re: PKI operators anyone?
From: Joe Maimon <jmaimon () ttec com>
Date: Wed, 05 Sep 2007 11:25:11 -0400
John Curran wrote:
At 10:06 AM -0400 9/5/07, Joe Maimon wrote:80 years for the root, 4096bit key 35 years for the policy, 4096bit key 15 years for the issuing, ?bit key <=5 years for the issued certificates. Good idea? Bad Idea? Comments?Joe -What's the implications of a single issued certificate beingcracked, and again for one of the root/policy/issuing set? There's quite a bit of speedy hardware out there today (particularly if you count things like repurposed video processors) and 5 years is a *very* long time in our industry. You can actually hunt down the CPS for most public CA's, and I think you'll find that they put up with the "loads of fun every 11 months or so..."However, for them the implications of a compromisedissued cert is potential customer liability, and for an the issuing certificate or above is basically loss of their confidence in their entire business of being a CA. You have to assess the implications based on the expected certificate use for your CA. Hope this helps, /John
Sounds like what you are saying is that creating validity periods based on expected cracking time is an excerise in futility then.
I dont see verisign roots expiring every five years.
Current thread:
- PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Sean Donelan (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Valdis . Kletnieks (Sep 05)
- Re: PKI operators anyone? Chris Marlatt (Sep 05)
- Re: PKI operators anyone? Sean Donelan (Sep 05)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? bmanning (Sep 06)
- Re: PKI operators anyone? Joel Jaeggli (Sep 06)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Joel Jaeggli (Sep 05)