[99104] in North American Network Operators' Group
Re: PKI operators anyone?
daemon@ATHENA.MIT.EDU (Chris Marlatt)
Wed Sep 5 14:14:26 2007
X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com
Date: Wed, 05 Sep 2007 13:51:54 -0400
From: Chris Marlatt <cmarlatt@rxsec.com>
To: Sean Donelan <sean@donelan.com>
CC: John Curran <jcurran@mail.com>,
North American Networking and Offtopic Gripes List <nanog@nanog.org>
In-Reply-To: <Pine.GSO.4.64.0709051243110.254@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
Sean Donelan wrote:
>
> If you re-issue (and check) CRL's daily for 10 year certificates, your
> exposure is a day, not 10 years.
>
Isn't this making the assumption that you know there has been a
compromise? With the certificate expiring at a shorter interval you're
guaranteed that the exposure is a shorter period of time regardless
whether you know the certificate is compromised or not. This however
also assumes that the method "they" used to compromise the old
certificate cannot be used again to compromise the new one in a similar
fashion.
Regards,
Chris
