HSM outage causes root CA key loss

Weger, B.M.M. de b.m.m.d.weger at TUE.nl
Wed Jul 15 14:04:27 EDT 2009


>>Our current Server CA certificate will expire in 2026 (when hopefully it
>>won't be my problem!).
>Thus the universal CA root cert lifetime policy, "the lifetime of a CA root
>certificate is the time till retirement of the person in charge at its
>creation, plus five years" :-).

This neglects the not entirely unlikely possibility that long before your retirement
some clever person will have broken your cryptographic hash function or 
signature scheme.

I once saw a document refering to a PKI with a proposed certificate lifetime 
of 100 years. Those people really care about their grandchildren.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list