PKI operators anyone?

Sean Donelan sean at
Wed Sep 5 18:46:49 UTC 2007

On Wed, 5 Sep 2007, Chris Marlatt wrote:
>> If you re-issue (and check) CRL's daily for 10 year certificates, your
>> exposure is a day, not 10 years.
> Isn't this making the assumption that you know there has been a
> compromise? With the certificate expiring at a shorter interval you're
> guaranteed that the exposure is a shorter period of time regardless
> whether you know the certificate is compromised or not. This however
> also assumes that the method "they" used to compromise the old
> certificate cannot be used again to compromise the new one in a similar
> fashion.

Since this is true across all authentication systems, why not have the 
same validity periods for passwords, PKI certificates, hardware tokens?

If you require people to change passwords every 7 days, because you don't
know if the password might have been compromised; shouldn't you also 
change your PKI certificates every 7 days, and your hardware tokens every 
7 days because you don't know whether or not they've been compromised? 
Maybe PKI certificates should be one-time use only, because you never 
know if they've been compromised.

The validity period should be an output of your administrative procedures 
and risk assessment (really risk acceptance); not an input.

More information about the NANOG mailing list