North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: PKI operators anyone?
Steven M. Bellovin wrote:
The question about root key lifetime turns not just on the security issues but on how easy it is to change the root key, either routinely or in event of a compromise. To a first approximation, no certificate acceptor *ever* changes its notion of root keys. In that case, the question is how many acceptors you have, what their lifetime is, and how easily you can be one of the rare people who does change the root. That's why browsers have long-lived certificates built in -- that list rarely changes. You suggest an 80-year lifetime for your root key. How many of your current devices do you expect to be using in 80 years? I thought so...
Hopefully none, at half-life. Thats the point.
This is actually a good point. Epoch rollover? Are you suggesting that any cert set to expire after the epoch may tickle issues now?