[99090] in North American Network Operators' Group
Re: PKI operators anyone?
daemon@ATHENA.MIT.EDU (John Curran)
Wed Sep 5 10:40:13 2007
In-Reply-To: <46DEB7D2.1020903@ttec.com>
Date: Wed, 5 Sep 2007 10:27:32 -0400
To: Joe Maimon <jmaimon@ttec.com>
From: John Curran <jcurran@mail.com>
Cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
At 10:06 AM -0400 9/5/07, Joe Maimon wrote:
>
>80 years for the root, 4096bit key
>35 years for the policy, 4096bit key
>15 years for the issuing, ?bit key
><=5 years for the issued certificates.
>
>Good idea? Bad Idea? Comments?
Joe -
What's the implications of a single issued certificate being
cracked, and again for one of the root/policy/issuing set?
There's quite a bit of speedy hardware out there today
(particularly if you count things like repurposed video
processors) and 5 years is a *very* long time in our
industry. You can actually hunt down the CPS for
most public CA's, and I think you'll find that they put
up with the "loads of fun every 11 months or so..."
However, for them the implications of a compromised
issued cert is potential customer liability, and for an
the issuing certificate or above is basically loss of their
confidence in their entire business of being a CA. You
have to assess the implications based on the expected
certificate use for your CA.
Hope this helps,
/John
