Re: PKI operators anyone?

[Joe Maimon <jmaimon () ttec com>]

John Curran wrote:

> At 10:06 AM -0400 9/5/07, Joe Maimon wrote:
>
> > 80 years for the root, 4096bit key
> > 35 years for the policy, 4096bit key
> > 15 years for the issuing, ?bit key
> > <=5 years for the issued certificates.
> >
> > Good idea? Bad Idea? Comments?
>
>
> Joe -
>  
>   What's the implications of a single issued certificate being
>   cracked, and again for one of the root/policy/issuing set?
>
>   There's quite a bit of speedy hardware out there today
>   (particularly if you count things like repurposed video
>   processors) and 5 years is a *very* long time in our
>   industry.   You can actually hunt down the CPS for
>   most public CA's, and I think you'll find that they put
>   up with the "loads of fun every 11 months or so..."
>  
>   However, for them the implications of a compromised
>   issued cert is potential customer liability, and for an
>   the issuing certificate or above is basically loss of their
>   confidence in their entire business of being a CA.  You
>   have to assess the implications based on the expected
>   certificate use for your CA.
>
> Hope this helps,
> /John


Sounds like what you are saying is that creating validity periods based 
on expected cracking time is an excerise in futility then.

I dont see verisign roots expiring every five years.