There is no requirement in the CA/Browser Forum at present to require regular key rotation, nor is there a way for that to be verifiably implemented across all CAs, as any subscriber can present a preexisting keypair to another CA.
So no. The limit is to the lifetime of the certificate and the reuse of validation information. Changing keys frequently is not a function of the key strength, but a function of pragmatic key protections. Shorter-lifetime keys, such as 90 days, coupled with automated issuance, appropriately balance the realities of clock skew in clients versus the practical challenges of meaningful key protection on Internet-enabled systems. On Wed, Dec 20, 2017 at 10:45 AM, 陳立群 via Public <[email protected]> wrote: > > My colleague wants to ask that from BR 6.3.2 Certificate Operational > Periods and Key Pair Usage Periods, > "Subscriber Certificates issued after 1 March 2018 MUST have a Validity > Period no greater than 825 days." > > Does the life time of every key pair of OV/DV/IV SSL certificate have to > be no greater than 825 days after March 2018? > > Not only the discussion about revalidate domain name ownership or OV, IV, > or processing like SHA-1 sunset issues to shorten the validity. The > customer should change their RSA 2048 bits key pairs frequently. Right? > Thanks. > > Li-Chun Chen > > > > 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. > 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性, > 以共同善盡資訊安全與個資保護責任. > Please be advised that this email message (including any attachments) > contains confidential information and may be legally privileged. If you are > not the intended recipient, please destroy this message and all attachments > from your system and do not further collect, process, or use them. Chunghwa > Telecom and all its subsidiaries and associated companies shall not be > liable for the improper or incomplete transmission of the information > contained in this email nor for any delay in its receipt or damage to your > system. If you are the intended recipient, please protect the confidential > and/or personal information contained in this email with due care. Any > unauthorized use, disclosure or distribution of this message in whole or in > part is strictly prohibited. Also, please self-inspect attachments and > hyperlinks contained in this email to ensure the information security and > to protect personal information. > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
