North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: PKI operators anyone?
On Wed, 5 Sep 2007, Chris Marlatt wrote:
If you re-issue (and check) CRL's daily for 10 year certificates, your exposure is a day, not 10 years.
Since this is true across all authentication systems, why not have the same validity periods for passwords, PKI certificates, hardware tokens?
If you require people to change passwords every 7 days, because you don't
know if the password might have been compromised; shouldn't you also change your PKI certificates every 7 days, and your hardware tokens every 7 days because you don't know whether or not they've been compromised? Maybe PKI certificates should be one-time use only, because you never know if they've been compromised.
The validity period should be an output of your administrative procedures and risk assessment (really risk acceptance); not an input.