[99095] in North American Network Operators' Group
Re: PKI operators anyone?
daemon@ATHENA.MIT.EDU (Joe Maimon)
Wed Sep 5 11:40:23 2007
Date: Wed, 05 Sep 2007 11:25:11 -0400
From: Joe Maimon <jmaimon@ttec.com>
To: John Curran <jcurran@mail.com>
CC: North American Networking and Offtopic Gripes List <nanog@nanog.org>
In-Reply-To: <p06240803c3046b46175e@[192.168.4.135]>
Errors-To: owner-nanog@merit.edu
John Curran wrote:
> At 10:06 AM -0400 9/5/07, Joe Maimon wrote:
>
>>80 years for the root, 4096bit key
>>35 years for the policy, 4096bit key
>>15 years for the issuing, ?bit key
>><=5 years for the issued certificates.
>>
>>Good idea? Bad Idea? Comments?
>
>
> Joe -
>
> What's the implications of a single issued certificate being
> cracked, and again for one of the root/policy/issuing set?
>
> There's quite a bit of speedy hardware out there today
> (particularly if you count things like repurposed video
> processors) and 5 years is a *very* long time in our
> industry. You can actually hunt down the CPS for
> most public CA's, and I think you'll find that they put
> up with the "loads of fun every 11 months or so..."
>
> However, for them the implications of a compromised
> issued cert is potential customer liability, and for an
> the issuing certificate or above is basically loss of their
> confidence in their entire business of being a CA. You
> have to assess the implications based on the expected
> certificate use for your CA.
>
> Hope this helps,
> /John
>
Sounds like what you are saying is that creating validity periods based
on expected cracking time is an excerise in futility then.
I dont see verisign roots expiring every five years.
