[99105] in North American Network Operators' Group
Re: PKI operators anyone?
daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Sep 5 14:48:41 2007
Date: Wed, 5 Sep 2007 14:46:49 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Chris Marlatt <cmarlatt@rxsec.com>
cc: North American Networking and Offtopic Gripes List <nanog@nanog.org>
In-Reply-To: <46DEECBA.2070901@rxsec.com>
Errors-To: owner-nanog@merit.edu
On Wed, 5 Sep 2007, Chris Marlatt wrote:
>> If you re-issue (and check) CRL's daily for 10 year certificates, your
>> exposure is a day, not 10 years.
>
> Isn't this making the assumption that you know there has been a
> compromise? With the certificate expiring at a shorter interval you're
> guaranteed that the exposure is a shorter period of time regardless
> whether you know the certificate is compromised or not. This however
> also assumes that the method "they" used to compromise the old
> certificate cannot be used again to compromise the new one in a similar
> fashion.
Since this is true across all authentication systems, why not have the
same validity periods for passwords, PKI certificates, hardware tokens?
If you require people to change passwords every 7 days, because you don't
know if the password might have been compromised; shouldn't you also
change your PKI certificates every 7 days, and your hardware tokens every
7 days because you don't know whether or not they've been compromised?
Maybe PKI certificates should be one-time use only, because you never
know if they've been compromised.
The validity period should be an output of your administrative procedures
and risk assessment (really risk acceptance); not an input.
