[144592] in cryptography@c2.net mail archive
RE: HSM outage causes root CA key loss
daemon@ATHENA.MIT.EDU (Weger, B.M.M. de)
Wed Jul 15 14:55:39 2009
From: "Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "jis@mit.edu" <jis@mit.edu>
CC: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Date: Wed, 15 Jul 2009 20:04:27 +0200
In-Reply-To: <E1MR4an-0001FG-Ek@wintermute01.cs.auckland.ac.nz>
Hi,
>>Our current Server CA certificate will expire in 2026 (when hopefully it
>>won't be my problem!).
>
>Thus the universal CA root cert lifetime policy, "the lifetime of a CA roo=
t
>certificate is the time till retirement of the person in charge at its
>creation, plus five years" :-).
This neglects the not entirely unlikely possibility that long before your r=
etirement
some clever person will have broken your cryptographic hash function or=20
signature scheme.
I once saw a document refering to a PKI with a proposed certificate lifetim=
e=20
of 100 years. Those people really care about their grandchildren.
Grtz,
Benne=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
