Hi Eric,
I am not saying it is the CA job (although, good CAs will impose max
life-times on keys), but it seems to me that this issue should be
addressed since it would violate one of the basic security principles
when it comes to crypto, i.e. key lifetime. Maybe adding something to
this regard could be useful so that "TLS operators" and CDN operators do
not shoot themselves in the foot :D
Cheers,
Max
On 3/30/17 12:53 PM, Eric Rescorla wrote:
I don't think it's the CA's job to dictate policy in this area.
-Ekr
On Thu, Mar 30, 2017 at 12:26 PM, Dr. Pala <[email protected]
<mailto:[email protected]>> wrote:
Hi all,
I have a small question about the I-D. In particular, it seems to
me that this proposal circumvents any limitation on the effective
lifetime of a short-lived-cert's keypair. From a cryptographic
standpoint of view, it is good practice to impose strict lifetimes
on keys (i.e., usually via validity periods in certificates) to
limit the issue of successful attacks on the crypto scheme (e.g.,
key factorization). This proposal would de-facto remove this
property by adopting re-issuing instead of re-keying when renewing
a certificate.
Although the CA might be able to track the usage of a key from the
initial CSRs, the automatic issuance of the certificate itself
without the constraints of the key longevity seems quite dangerous
and possibly open to a policy of "set-and-forget" that might last
for... years... (automatically not re-issuing the certificate
based on key-size + CSR timestamp would, I think, create issues
for CDNs as there would be no indication when a new LURK/CSR cycle
is needed).
Am I reading it wrong / missing something ?
Cheers,
Max
--
Massimiliano Pala, PhD
Director at OpenCA Labs
twitter: @openca
_______________________________________________
Acme mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/acme
<https://www.ietf.org/mailman/listinfo/acme>
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
--
Massimiliano Pala
Director at OpenCA Labs
twitter: @_mpala_
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
