I've also heard the "changing the keys is good hygiene" argument -- if someone has wandered off with your private keys (like an old administrator) you have limited how long they can reuse them.... but, a: there is room for argument and b: we have gotten way down into the weeds here...
W On Fri, Jul 21, 2017 at 2:58 PM, George Michaelson <[email protected]> wrote: > A fine bit of epistemology lies in the question: is it the same > certificate, if you re-issue it with the same keys? No, because it has > a different serial. but the crypto doesn't care, its the validation > which cares which is a product of the crypto. so validation cares but > cryptographic functions themselves, not such. > > The nice thing about bare key cryptography, is that fish don't need > bicycles. Dates are dates and validity intervals are a thing, but you > can re-bake as many times as you like if there is nothing embedded in > the structure like a serial. Oh wait.. we sign the SOA don't we... > > I (for one) hang onto the .req file. Maybe thats naughty, but I do, so > in my case Warren routine is that the keypair is being reused, > because.. well.. because I like to. Software I consume I suspect (like > you) doesn't, and re-mints shiny new keys now with added keynomium, > but when I do it by hand? yes I reuse the .req file. > > But I am probably being led into bad places as a result. I am sure > wiser heads will say. > > On Fri, Jul 21, 2017 at 1:46 PM, Warren Kumari <[email protected]> wrote: >> On Fri, Jul 21, 2017 at 1:36 PM, Tony Finch <[email protected]> wrote: >>> Andrew Sullivan <[email protected]> wrote: >>>> >>>> For instance, people also express astonishment that DNSKEYs don't >>>> expire. Everyone always has to be reminded that signatures expire, and >>>> if you want to expire keys you take them out of the zone. >>> >>> I agree with your message. >>> >>> It might be useful to explain this DNSKEY oddity by comparison with x.509 >>> certificates. In particular, it's the cert that expires, not the key, and >>> when you renew a cert you can re-use the same key. >> >> >> Yeah, you *can* reuse the same key, but (I suspect) most don't -- from >> what I've seen, then general process is: >> 1: Erk! My cert is about to / has just expired!!! >> 2: Search for and follow some online recipe related to "make ssl certificate" >> 3: ???? >> 4: Go back to sleep. >> >> I think that (but would be happy to be proven wrong) that most >> certificate renewals[0] involve a change of keys too. >> >> W >> [0]: Well, "legacy certs", excluding sexy new things like LE / ACME, etc. >> >>> >>> Tony. >>> -- >>> f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn--zr8h punycode >>> Portland, Plymouth, North Biscay: Southerly or southwesterly 6 to gale 8 >>> veering westerly or southwesterly 4 or 5, occasionally 6 later. Moderate or >>> rough. Rain or showers. Good, occasionally poor. >>> >>> _______________________________________________ >>> DNSOP mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/dnsop >> >> >> >> -- >> I don't think the execution is relevant when it was obviously a bad >> idea in the first place. >> This is like putting rabid weasels in your pants, and later expressing >> regret at having chosen those particular rabid weasels and that pair >> of pants. >> ---maf >> >> _______________________________________________ >> DNSOP mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
