Folly of looking at CA cert lifetimes

[Paul Hoffman]

At 5:33 PM -0400 9/14/10, Thor Lancelot Simon wrote:
>On Tue, Sep 14, 2010 at 08:14:59AM -0700, Paul Hoffman wrote:
>> At 10:57 AM -0400 9/14/10, Perry E. Metzger did not write, but passed on for someone else:
>> >This suggests to me that even if NIST is correct that 2048 bit RSA
>> >keys are the reasonable the minimum for new deployments after 2010,
>> >much shorter keys are appropriate for most server certificates that
>> >these CAs will sign.  The CA keys have lifetimes of 10 years or more;
>> >the server keys a a quarter to a fifth of that.
>>
>> No, no, a hundred times no. (Well, about 250 times, or however many
>> CAs are in the current OS trust anchor piles.) The "lifetime" of a "CA
>> key" is exactly as long as the OS or browser vendor keeps that key,
>> usually in cert form, in its trust anchor pile. You should not
>> extrapolate *anything* from the contents of the CA cert except the key
>> itself and the proclaimed name associated with it.
>
>I don't understand.  The original text seems to be talking about *server*
>certificate lifetimes, and how much shorter they are than CA cert
>lifetimes.  What does that have to do with "a thousand times no" about
>some proposition to do with CA cert lifetimes?
>
>In other words, if CA key lifetimes are longer than indicated by their
>X.509 properties, it seems to me that just makes the quoted text about
>the relationship between server and CA key lifetimes even more true.

Ah, I see what you are saying, and what Perry's anonymous forwarder meant. That is, if the "CA keys have lifetimes of 10 years or more" means "because that's how long OSs and browsers leave them in the trust anchor pile", then it has nothing to do with the built-in notAfter dates in the server certificates.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com