Hi Ilari, all,
I strongly disagree with your statement. From a crypto standpoint, key
rotation IS an important point and should be addressed. I think
something could/should be added to the I-D to limit the number of
renewal or the period where the same CSR can be used for certificate
re-issuing.
The solution might be as simple as set a validity in the CSR that is
generated (if you want that to be in control of the requesting client).
I am not suggesting the specifics of how to solve it, but I think that
this is a point that should be addressed (possibly something that was in
the mind of the original authors, but did not make it in the document...
?).
What is the position of the I-D authors ?
Just my 2 cents, of course :D
Cheers,
Max
On 3/30/17 2:06 PM, Ilari Liusvaara wrote:
On Thu, Mar 30, 2017 at 12:26:17PM -0500, Dr. Pala wrote:
I have a small question about the I-D. In particular, it seems to me that
this proposal circumvents any limitation on the effective lifetime of a
short-lived-cert's keypair. From a cryptographic standpoint of view, it is
good practice to impose strict lifetimes on keys (i.e., usually via validity
periods in certificates) to limit the issue of successful attacks on the
crypto scheme (e.g., key factorization). This proposal would de-facto remove
this property by adopting re-issuing instead of re-keying when renewing a
certificate.
I do not think that limiting key lifetime is necressarily a good idea.
Usually, when you discover that your key is compromised (using the
WebPKI definition), the attackers have been in position to compromise
your keys for who knows how long. If you rotated keys, all (or at least
a long list) the past keys are considered compromised too.
The threat of using stolen keypairs to decrypt sessions is exactly
what PFS is meant to defend against.
There's also key rollovers for parameter updates, but those are quite
rare, and are not emergency rollovers. There are already parameters
where the time that happens is either: 1) Major cryptographical break-
through, or 2) Large quantum computers are invented.
So, I don't think CA should do anything with key lifetimes (outside
obvious indications that key is not good, like revocation with
KeyCompromise).
-Ilari
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
--
Massimiliano Pala, PhD
Director at OpenCA Labs
twitter: @openca
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
