Folly of looking at CA cert lifetimes
Paul Hoffman
paul.hoffman at vpnc.org
Tue Sep 14 11:14:59 EDT 2010
At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for someone else:
>This suggests to me that even if NIST is correct that 2048 bit RSA
>keys are the reasonable the minimum for new deployments after 2010,
>much shorter keys are appropriate for most server certificates that
>these CAs will sign. The CA keys have lifetimes of 10 years or more;
>the server keys a a quarter to a fifth of that.
No, no, a hundred times no. (Well, about 250 times, or however many CAs are in the current OS trust anchor piles.) The "lifetime" of a "CA key" is exactly as long as the OS or browser vendor keeps that key, usually in cert form, in its trust anchor pile. You should not extrapolate *anything* from the contents of the CA cert except the key itself and the proclaimed name associated with it.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list