[99108] in North American Network Operators' Group
Re: PKI operators anyone?
daemon@ATHENA.MIT.EDU (Joe Maimon)
Wed Sep 5 15:52:52 2007
Date: Wed, 05 Sep 2007 15:43:06 -0400
From: Joe Maimon <jmaimon@ttec.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
CC: North American Networking and Offtopic Gripes List <nanog@nanog.org>
In-Reply-To: <20070905192936.60C0E76610B@berkshire.machshav.com>
Errors-To: owner-nanog@merit.edu
Steven M. Bellovin wrote:
> The question about root key lifetime turns not just on the security
> issues but on how easy it is to change the root key, either routinely
> or in event of a compromise. To a first approximation, no certificate
> acceptor *ever* changes its notion of root keys. In that case, the
> question is how many acceptors you have, what their lifetime is, and
> how easily you can be one of the rare people who does change the root.
> That's why browsers have long-lived certificates built in -- that list
> rarely changes. You suggest an 80-year lifetime for your root key.
> How many of your current devices do you expect to be using in 80
> years? I thought so...
Hopefully none, at half-life. Thats the point.
>
> Beyond that, at this point I would not issue any certificates that
> expire after 03:14:07 UTC on Jan 19, 2038. Doing otherwise is just
> asking for trouble. The reason is left as an exercise for the reader.
This is actually a good point. Epoch rollover? Are you suggesting that
any cert set to expire after the epoch may tickle issues now?
>
> So -- I haven't answered your questions at all. Instead, I've asked
> questions of my own.
>
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
