Hi, >>Our current Server CA certificate will expire in 2026 (when hopefully it >>won't be my problem!). > >Thus the universal CA root cert lifetime policy, "the lifetime of a CA root >certificate is the time till retirement of the person in charge at its >creation, plus five years" :-).
This neglects the not entirely unlikely possibility that long before your retirement some clever person will have broken your cryptographic hash function or signature scheme. I once saw a document refering to a PKI with a proposed certificate lifetime of 100 years. Those people really care about their grandchildren. Grtz, Benne --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
