nanog mailing list archives
Re: PKI operators anyone?
From: Joe Maimon <jmaimon () ttec com>
Date: Wed, 05 Sep 2007 15:43:06 -0400
Steven M. Bellovin wrote:
The question about root key lifetime turns not just on the security issues but on how easy it is to change the root key, either routinely or in event of a compromise. To a first approximation, no certificate acceptor *ever* changes its notion of root keys. In that case, the question is how many acceptors you have, what their lifetime is, and how easily you can be one of the rare people who does change the root. That's why browsers have long-lived certificates built in -- that list rarely changes. You suggest an 80-year lifetime for your root key. How many of your current devices do you expect to be using in 80 years? I thought so...
Hopefully none, at half-life. Thats the point.
Beyond that, at this point I would not issue any certificates that expire after 03:14:07 UTC on Jan 19, 2038. Doing otherwise is just asking for trouble. The reason is left as an exercise for the reader.
This is actually a good point. Epoch rollover? Are you suggesting that any cert set to expire after the epoch may tickle issues now?
So -- I haven't answered your questions at all. Instead, I've asked questions of my own. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: PKI operators anyone?, (continued)
- Re: PKI operators anyone? John Curran (Sep 05)
- Re: PKI operators anyone? Valdis . Kletnieks (Sep 05)
- Re: PKI operators anyone? Chris Marlatt (Sep 05)
- Re: PKI operators anyone? Sean Donelan (Sep 05)
- Re: PKI operators anyone? bmanning (Sep 06)
- Re: PKI operators anyone? Joel Jaeggli (Sep 06)
- Re: PKI operators anyone? Joel Jaeggli (Sep 05)
- RE: PKI operators anyone? Erik Amundson (Sep 06)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? Steven M. Bellovin (Sep 05)