nanog mailing list archives
Re: PKI operators anyone?
From: Sean Donelan <sean () donelan com>
Date: Wed, 5 Sep 2007 14:46:49 -0400 (EDT)
On Wed, 5 Sep 2007, Chris Marlatt wrote:
If you re-issue (and check) CRL's daily for 10 year certificates, your exposure is a day, not 10 years.Isn't this making the assumption that you know there has been a compromise? With the certificate expiring at a shorter interval you're guaranteed that the exposure is a shorter period of time regardless whether you know the certificate is compromised or not. This however also assumes that the method "they" used to compromise the old certificate cannot be used again to compromise the new one in a similar fashion.
Since this is true across all authentication systems, why not have the same validity periods for passwords, PKI certificates, hardware tokens?
If you require people to change passwords every 7 days, because you don'tknow if the password might have been compromised; shouldn't you also change your PKI certificates every 7 days, and your hardware tokens every 7 days because you don't know whether or not they've been compromised? Maybe PKI certificates should be one-time use only, because you never know if they've been compromised.
The validity period should be an output of your administrative procedures and risk assessment (really risk acceptance); not an input.
Current thread:
- PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Sean Donelan (Sep 05)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Valdis . Kletnieks (Sep 05)
- Re: PKI operators anyone? Chris Marlatt (Sep 05)
- Re: PKI operators anyone? Sean Donelan (Sep 05)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? bmanning (Sep 06)
- Re: PKI operators anyone? Joel Jaeggli (Sep 06)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Joel Jaeggli (Sep 05)
- RE: PKI operators anyone? Erik Amundson (Sep 06)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? Steven M. Bellovin (Sep 05)
- <Possible follow-ups>
- RE: PKI operators anyone? Paul Ferguson (Sep 05)