PKI operators anyone?
sean at donelan.com
Wed Sep 5 18:46:49 UTC 2007
On Wed, 5 Sep 2007, Chris Marlatt wrote:
>> If you re-issue (and check) CRL's daily for 10 year certificates, your
>> exposure is a day, not 10 years.
> Isn't this making the assumption that you know there has been a
> compromise? With the certificate expiring at a shorter interval you're
> guaranteed that the exposure is a shorter period of time regardless
> whether you know the certificate is compromised or not. This however
> also assumes that the method "they" used to compromise the old
> certificate cannot be used again to compromise the new one in a similar
Since this is true across all authentication systems, why not have the
same validity periods for passwords, PKI certificates, hardware tokens?
If you require people to change passwords every 7 days, because you don't
know if the password might have been compromised; shouldn't you also
change your PKI certificates every 7 days, and your hardware tokens every
7 days because you don't know whether or not they've been compromised?
Maybe PKI certificates should be one-time use only, because you never
know if they've been compromised.
The validity period should be an output of your administrative procedures
and risk assessment (really risk acceptance); not an input.
More information about the NANOG