On Thu, Mar 30, 2017 at 03:36:30PM -0500, Dr. Pala wrote: > Hi Ilari, all, > > I strongly disagree with your statement. From a crypto standpoint, key > rotation IS an important point and should be addressed. I think something > could/should be added to the I-D to limit the number of renewal or the > period where the same CSR can be used for certificate re-issuing. > > The solution might be as simple as set a validity in the CSR that is > generated (if you want that to be in control of the requesting client). I am > not suggesting the specifics of how to solve it, but I think that this is a > point that should be addressed (possibly something that was in the mind of > the original authors, but did not make it in the document... ?).
I just read the draft. A facility to limit the private key period, assuming you want to do that, already exists. And there are a number of sane-looking metrics[1], where any timed key rotation strictly[2] decreases security. [1] Basically, anything that considers security issue duration. [2] Meaning you get '<' operator in comparision, not '<='. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
