On Thu, Mar 30, 2017 at 12:26:17PM -0500, Dr. Pala wrote: > > I have a small question about the I-D. In particular, it seems to me that > this proposal circumvents any limitation on the effective lifetime of a > short-lived-cert's keypair. From a cryptographic standpoint of view, it is > good practice to impose strict lifetimes on keys (i.e., usually via validity > periods in certificates) to limit the issue of successful attacks on the > crypto scheme (e.g., key factorization). This proposal would de-facto remove > this property by adopting re-issuing instead of re-keying when renewing a > certificate.
I do not think that limiting key lifetime is necressarily a good idea. Usually, when you discover that your key is compromised (using the WebPKI definition), the attackers have been in position to compromise your keys for who knows how long. If you rotated keys, all (or at least a long list) the past keys are considered compromised too. The threat of using stolen keypairs to decrypt sessions is exactly what PFS is meant to defend against. There's also key rollovers for parameter updates, but those are quite rare, and are not emergency rollovers. There are already parameters where the time that happens is either: 1) Major cryptographical break- through, or 2) Large quantum computers are invented. So, I don't think CA should do anything with key lifetimes (outside obvious indications that key is not good, like revocation with KeyCompromise). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
