On 2019-01-11 16:47, Christopher Morrow wrote:
Maybe the question to ask is: "What is this cert doing, what happens
if you lose control of the key material for it?"
That should guide how long a certificate could be outside of your
control... and thus the length of validity of the cert?
Agreed, especially on the "what happens when you lose it" point..
Additionally, while prefix/origin AS binding should be more stable than
websites even with the relatively short validity periods used for webPKI
(which were in part an artifact of people having to pay for TLS/SSL
certificates on an annual basis until all the freebies emerged and more
recently the CAB forum setting max validity to ~2 years a year or so
ago, IIRC) the overall revocation model going the way of webPKI (e.g.,
punt non-expired but revoked certs out of CRLs for various reasons,
wholly ignore CRLs in relying party software because of startup and
processing issues, etc..) isn't a desirable thing, methinks... Shorter
timeframes (e.g., 1-3 years) forces better hygiene earlier in the
deployment process as well.
-danny
_______________________________________________
arin-tech-discuss mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-tech-discuss
