nanog mailing list archives
RE: PKI operators anyone?
From: "Security Admin (NetSec)" <secadmin () netsecdesign com>
Date: Wed, 5 Sep 2007 19:50:05 -0700
"MS-PRESS recommended design guidelines for multi-tier PKI systems for validity periods are along the lines of 8 years for the root 4 years for the "policy" 2 years for the "issuing" 1 year for the issued certificate" Don't forget that Microsoft would like you to buy their OS once every five years or so, not every 80 years. 4 tiers is a bit much; three would work fine in most organizations. IMHO 10/5/3/1 is OK, 10/5/2 for three tier. Issuing certs to clients can be automated via GPO and zero client downtime. It is the renewal upstream to the root CAs by the subordinates which can casue issues and downtimes if not properly managed. Edward Ray
Current thread:
- Re: PKI operators anyone?, (continued)
- Re: PKI operators anyone? Chris Marlatt (Sep 05)
- Re: PKI operators anyone? Sean Donelan (Sep 05)
- Re: PKI operators anyone? bmanning (Sep 06)
- Re: PKI operators anyone? Joel Jaeggli (Sep 06)
- Re: PKI operators anyone? Joel Jaeggli (Sep 05)
- RE: PKI operators anyone? Erik Amundson (Sep 06)
- Re: PKI operators anyone? Joe Maimon (Sep 05)
- Re: PKI operators anyone? Steven M. Bellovin (Sep 05)