PKI operators anyone?
jmaimon at ttec.com
Wed Sep 5 15:25:11 UTC 2007
John Curran wrote:
> At 10:06 AM -0400 9/5/07, Joe Maimon wrote:
>>80 years for the root, 4096bit key
>>35 years for the policy, 4096bit key
>>15 years for the issuing, ?bit key
>><=5 years for the issued certificates.
>>Good idea? Bad Idea? Comments?
> Joe -
> What's the implications of a single issued certificate being
> cracked, and again for one of the root/policy/issuing set?
> There's quite a bit of speedy hardware out there today
> (particularly if you count things like repurposed video
> processors) and 5 years is a *very* long time in our
> industry. You can actually hunt down the CPS for
> most public CA's, and I think you'll find that they put
> up with the "loads of fun every 11 months or so..."
> However, for them the implications of a compromised
> issued cert is potential customer liability, and for an
> the issuing certificate or above is basically loss of their
> confidence in their entire business of being a CA. You
> have to assess the implications based on the expected
> certificate use for your CA.
> Hope this helps,
Sounds like what you are saying is that creating validity periods based
on expected cracking time is an excerise in futility then.
I dont see verisign roots expiring every five years.
More information about the NANOG