nanog mailing list archives

Re: PKI operators anyone?

From: John Curran <jcurran () mail com>
Date: Wed, 5 Sep 2007 13:36:43 -0400


private reply...  I'm sitting in a building with bunches of root CA's...

At 1:22 PM -0400 9/5/07, Sean Donelan wrote:

On Wed, 5 Sep 2007, John Curran wrote:

I dont see verisign roots expiring every five years.


I believe that they're on 30 years or so for the root CA
certificates, and shorter periods for the intermediates.


Commercial PKI expiration times are mostly based on how frequently you must pay the CA more money whether or not the 
certificate's private key was compromised. If a commercial PKI charges you $500 each year to renew a certificate, 
instead of $500 every two years, the commercial PKI has doubled its revenue.


I was referring to the root CA certificate, not the ones downsteam issued to customers.
All of verisgn's roots (class 1,2,3,4) expire in 2036.

You could always revoke a certificate's private keys sooner in the event its key is compromised.

In the event a certificate is compromised Certificate Revokation Lists (CRL) lifetimes, not the certificate's 
lifetime, determines how big the
exposure window for a compromised certificate.

If you re-issue (and check) CRL's daily for 10 year certificates, your exposure is a day, not 10 years.

In the event a CA is compromised, how quickly you can revoke the CA's trust, not the CA's certificate lifetime 
determines the exposure window.


Absolutely, if you knew of the compromise.  Frankly, if someone succeeded in
brute force attack, they'd likely be very careful about how to use the result to
avoid detection and maximine return.

Commercial CA roots changed to very long life times not because they are more "secure" (insert hand-waving about bits 
and signing ceremony) but because of the pain of frequently updating them.


Get a competent staff.  It's not that hard.

If you can remove a CA's root from your trust hierarchy within a day for a 100 year CA root, your exposure is a day, 
not 100 years.

The "valid dates" in the certificates are pretty much a red-herring; because the actual threat analysis should really 
be based on other
factors. Most certificate private keys are compromised not because someone figured out how to brute-force the 
multi-thousand bit keys, but because the computer and all the private keys it could access were compromised by random 
bits of malware.


Anyone running with a commercial  root server online
shouldn't be operating a CA.

/John

Current thread:

PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
  - Re: PKI operators anyone? Joe Maimon (Sep 05)
    - Re: PKI operators anyone? John Curran (Sep 05)
    - Re: PKI operators anyone? Sean Donelan (Sep 05)
    - Re: PKI operators anyone? John Curran (Sep 05)
    - Re: PKI operators anyone? Valdis . Kletnieks (Sep 05)
    - Re: PKI operators anyone? Chris Marlatt (Sep 05)
    - Re: PKI operators anyone? Sean Donelan (Sep 05)
    - Re: PKI operators anyone? bmanning (Sep 06)
    - Re: PKI operators anyone? Joel Jaeggli (Sep 06)
- RE: PKI operators anyone? Erik Amundson (Sep 05)
  - Re: PKI operators anyone? Joel Jaeggli (Sep 05)
    - RE: PKI operators anyone? Erik Amundson (Sep 06)
- Re: PKI operators anyone? Steven M. Bellovin (Sep 05)
  - Re: PKI operators anyone? Joe Maimon (Sep 05)

(Thread continues...)