North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: PKI operators anyone?

  • From: Joe Maimon
  • Date: Wed Sep 05 11:48:32 2007

John Curran wrote:

At 10:06 AM -0400 9/5/07, Joe Maimon wrote:

80 years for the root, 4096bit key
35 years for the policy, 4096bit key
15 years for the issuing, ?bit key
<=5 years for the issued certificates.

Good idea? Bad Idea? Comments?

Joe -
What's the implications of a single issued certificate being
cracked, and again for one of the root/policy/issuing set?

There's quite a bit of speedy hardware out there today
(particularly if you count things like repurposed video
processors) and 5 years is a *very* long time in our
industry. You can actually hunt down the CPS for
most public CA's, and I think you'll find that they put
up with the "loads of fun every 11 months or so..."
However, for them the implications of a compromised
issued cert is potential customer liability, and for an
the issuing certificate or above is basically loss of their
confidence in their entire business of being a CA. You
have to assess the implications based on the expected
certificate use for your CA.

Hope this helps,

Sounds like what you are saying is that creating validity periods based on expected cracking time is an excerise in futility then.

I dont see verisign roots expiring every five years.