Mikko Rantalainen wrote: > On Friday, 16 August 2013 12:01:51 UTC+3, Gervase Markham wrote: >> 2. Limited cert lifetimes mean that if an algorithm starts to look dodgy >> (e.g. as MD5 did) we can move the industry to new algorithms without >> having to worry about 20-year end-entity certs. This is why we have been >> pushing in the CAB Forum for shorter max cert lifetimes. It's the CAs >> who want longer lifetimes! > > As long as the CA key X is signed with algorithm Y and its lifetime is N > years, there's no additional security for signing chained keys for shorter > lifetimes. For example, if a CA has 2048 bit RSA key with self signature > using SHA-1 and lifetime of 20 years, it really does not matter if chained > server keys have better algorithms and longer key lengths. If we really > believed that shorter lifetime is required for the keys, we would be > replacing those CA keys already.
If the signing CA's cert is locally installed as trust anchor (being verified out-of-band e.g. by fingerprint) you don't have to care about the cert signature anymore because the public key is locally installed. One real-world example was a Verisign root cert with RSA-MD2 self signature which issued sub-CA certs with better algorithm combinations. IMO there was nothing wrong with that. Regarding cert validity period: I'd consider EE keys to be more exposed than CA keys since they are used on less secure systems. Therefore a shorter cert lifetime make sense. I might have misunderstood your statement though. Ciao, Michael. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
