[99110] in North American Network Operators' Group
RE: PKI operators anyone?
daemon@ATHENA.MIT.EDU (Security Admin (NetSec))
Wed Sep 5 22:51:21 2007
From: "Security Admin (NetSec)" <secadmin@netsecdesign.com>
To: North American Networking and Offtopic Gripes List <nanog@nanog.org>
Date: Wed, 5 Sep 2007 19:50:05 -0700
In-Reply-To: <46DEB7D2.1020903@ttec.com>
Errors-To: owner-nanog@merit.edu
"MS-PRESS recommended design guidelines for multi-tier PKI systems for
validity periods are along the lines of
8 years for the root
4 years for the "policy"
2 years for the "issuing"
1 year for the issued certificate"
Don't forget that Microsoft would like you to buy their OS once every five =
years or so, not every 80 years.
4 tiers is a bit much; three would work fine in most organizations. IMHO 1=
0/5/3/1 is OK, 10/5/2 for three tier. Issuing certs to clients can be auto=
mated via GPO and zero client downtime. It is the renewal upstream to the =
root CAs by the subordinates which can casue issues and downtimes if not pr=
operly managed.
Edward Ray
