[arin-tech-discuss] RPKI Hosted Certificate expiry
Jimmy Hess
mysidia at gmail.com
Wed Nov 1 11:26:19 EDT 2017
On Wed, Nov 1, 2017 at 10:12 AM, Mark Kosters <markk at arin.net> wrote:
> Hi Andrew
>
> That was a good question – one that merited a bit of research on our part.
> Here’s what we have.
>
> Yes, ROAs can not be created with dates past the expiration of the hosted
> certificate.
[snip]
Arbitrary certificate churning or expiration based on time of credentials
that have not been compromised
and the associated maintenance cost is a good reason to avoid adopting
RPKI in the first place.
Is there any adequate justification they don't simply use an arbitrary
value of 100, 200 Years or Infinite
expiration period, for all the certs, in place of the arbitrary value
of 10?
So unless keys need to be manually revoked for valid security reasons,
there should be no
unnecessary certificate churn.
Also, if you want the ROAs to be good for a reasonable length of time,
then that implies you'll need
a renewal of the hosted cert every year you make new ROAs. E.g. To
make ROAs valid for 9+ years,
then you're also then needing to renew the hosted cert every year
to keep its expiration a
sufficient number of years ahead into the future.
--
-Jimmy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20171101/52b38765/attachment.html>
More information about the arin-tech-discuss
mailing list