PKI operators anyone?

John Curran jcurran at
Wed Sep 5 16:22:45 UTC 2007

At 11:25 AM -0400 9/5/07, Joe Maimon wrote:
>Sounds like what you are saying is that creating validity periods based on expected cracking time is an excerise in futility then.

No, what I'm saying is that the cracking time likely shorter than
we imagine, and an 80 year root and 15 year issuing certificate
expiration may be considered optimistic by some.  Again, it also
depends on what exactly is the consequences of success versus
the maintenance headache. 

>I dont see verisign roots expiring every five years.

I believe that they're on 30 years or so for the root CA
certificates, and shorter periods for the intermediates.


More information about the NANOG mailing list