Folly of looking at CA cert lifetimes
At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for someone else: This suggests to me that even if NIST is correct that 2048 bit RSA keys are the reasonable the minimum for new deployments after 2010, much shorter keys are appropriate for most server certificates that these CAs will sign. The CA keys have lifetimes of 10 years or more; the server keys a a quarter to a fifth of that. No, no, a hundred times no. (Well, about 250 times, or however many CAs are in the current OS trust anchor piles.) The lifetime of a CA key is exactly as long as the OS or browser vendor keeps that key, usually in cert form, in its trust anchor pile. You should not extrapolate *anything* from the contents of the CA cert except the key itself and the proclaimed name associated with it. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Folly of looking at CA cert lifetimes
On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote: At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for someone else: This suggests to me that even if NIST is correct that 2048 bit RSA keys are the reasonable the minimum for new deployments after 2010, much shorter keys are appropriate for most server certificates that these CAs will sign. The CA keys have lifetimes of 10 years or more; the server keys a a quarter to a fifth of that. No, no, a hundred times no. (Well, about 250 times, or however many CAs are in the current OS trust anchor piles.) The lifetime of a CA key is exactly as long as the OS or browser vendor keeps that key, usually in cert form, in its trust anchor pile. You should not extrapolate *anything* from the contents of the CA cert except the key itself and the proclaimed name associated with it. I don't understand. The original text seems to be talking about *server* certificate lifetimes, and how much shorter they are than CA cert lifetimes. What does that have to do with a thousand times no about some proposition to do with CA cert lifetimes? In other words, if CA key lifetimes are longer than indicated by their X.509 properties, it seems to me that just makes the quoted text about the relationship between server and CA key lifetimes even more true. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Folly of looking at CA cert lifetimes
At 5:33 PM -0400 9/14/10, Thor Lancelot Simon wrote: On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote: At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for someone else: This suggests to me that even if NIST is correct that 2048 bit RSA keys are the reasonable the minimum for new deployments after 2010, much shorter keys are appropriate for most server certificates that these CAs will sign. The CA keys have lifetimes of 10 years or more; the server keys a a quarter to a fifth of that. No, no, a hundred times no. (Well, about 250 times, or however many CAs are in the current OS trust anchor piles.) The lifetime of a CA key is exactly as long as the OS or browser vendor keeps that key, usually in cert form, in its trust anchor pile. You should not extrapolate *anything* from the contents of the CA cert except the key itself and the proclaimed name associated with it. I don't understand. The original text seems to be talking about *server* certificate lifetimes, and how much shorter they are than CA cert lifetimes. What does that have to do with a thousand times no about some proposition to do with CA cert lifetimes? In other words, if CA key lifetimes are longer than indicated by their X.509 properties, it seems to me that just makes the quoted text about the relationship between server and CA key lifetimes even more true. Ah, I see what you are saying, and what Perry's anonymous forwarder meant. That is, if the CA keys have lifetimes of 10 years or more means because that's how long OSs and browsers leave them in the trust anchor pile, then it has nothing to do with the built-in notAfter dates in the server certificates. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
