On Fri, Jan 11, 2019 at 4:13 PM Mark Kosters <[email protected]> wrote: > Hi David et. al. > > > > This is good input. The code was written to match the lifetime of the > resource cert. We can certainly lower the default down. Is 3 years the > consensus? > > > > Thanks, > > Mark > > > > *From: *arin-tech-discuss <[email protected]> on behalf > of David Farmer <[email protected]> > *Date: *Friday, January 11, 2019 at 12:10 PM > *To: *Christopher Morrow <[email protected]> > *Cc: *"[email protected]" <[email protected]> > *Subject: *Re: [arin-tech-discuss] RPKI How long to set a ROA certificate > > > > > > On Fri, Jan 11, 2019 at 1:13 AM Christopher Morrow < > [email protected]> wrote: > > > > On Thu, Jan 10, 2019 at 10:29 PM Delacruz, Anthony B < > [email protected]> wrote: > > The default using ARIN systems looks to be 10 years. That just feels like > too long given how other certificates I interact with expire. What is > everyone else > > > > that seems very long. > > I expect it might make sense to think about how long do you expect to need > the ROA (for example)? and how often will your automation be able to update > all objects which need to be updated? One other thing to keep in mind is > how long do you think a 'lost' object to be usable? > > > > I agree that is long, and probably too long for the default, but it's not > insanely long, for much of the Internet prefixes don't change very much > once they are advertised and typically the prefixes allocated or assigned > are the ones advertised. The prefixes intentional advertised by our > network have been stable for several decades, yes we have added new > prefixes, but in the last thirty years, only one of our prefixes has had a > more specific added to our list of intentionally advertised prefixes once > initially advertised. The nature and longevity (more than 150 year) of our > institution lends itself to an abnormally high level of stability, > nevertheless for much of the Internet stability in scale of several years > is the norm. > > > > tending to do? We’re just putting our toe in the water for this so using > the hosted to accommodate a few customers as we research and test doing > delegated which probably would be 2 or so years out. Would I run into > trouble if it’s too long then switch to us running on our servers? I > wouldn’t think so just expire it and issue new ones right? Any tips on > running hosted for a while with intent to switch to delegated? > > > > seems correct to me, there may be more wonkery required than at first > blush seems right, but :) > > > > I think somewhere between 2 to 5 years is reasonable and going to be > common, probably starting out closer to 2 years and over time moving closer > to 5 years as everyone gains experience. But if you are just dipping your > toes in the water 1 or 2 years seems perfectly appropriate. > > > > I'd like to see ARIN change the default to 3 years, 10 year is way too > long for the default, 10 years might be a reasonable maximum though. I'm > suggesting 3 years to help encourage people to not use too short of time, > but also these things need to be regularly evaluated and update too, 3 > years seems a reasonable balance of the issues, at least without additional > knowledge of other circumstances involved. > > >
Maybe the question to ask is: "What is this cert doing, what happens if you lose control of the key material for it?" That should guide how long a certificate could be outside of your control... and thus the length of validity of the cert? > -- > > =============================================== > David Farmer Email:[email protected] > Networking & Telecommunication Services > Office of Information Technology > University of Minnesota > 2218 University Ave SE Phone: 612-626-0815 > Minneapolis, MN 55414-3029 Cell: 612-812-9952 > =============================================== >
_______________________________________________ arin-tech-discuss mailing list [email protected] https://lists.arin.net/mailman/listinfo/arin-tech-discuss
