[arin-tech-discuss] RPKI Hosted Certificate expiry

Jimmy Hess mysidia at gmail.com
Wed Nov 1 11:26:19 EDT 2017

On Wed, Nov 1, 2017 at 10:12 AM, Mark Kosters <markk at arin.net> wrote:

> Hi Andrew
> That was a good question – one that merited a bit of research on our part.
> Here’s what we have.
> Yes, ROAs can not be created with dates past the expiration of the hosted
> certificate.


Arbitrary certificate churning or expiration based on time of  credentials
that have not been compromised
and the associated maintenance cost is a good reason to avoid  adopting
RPKI in the first place.

Is there any adequate justification   they don't simply  use  an arbitrary
value of 100,  200 Years or Infinite
expiration period, for all the certs,   in place of the   arbitrary value
of 10?

So unless keys need to be manually revoked for valid security reasons,
there should be no
unnecessary certificate churn.

Also,  if you want the ROAs to be good for a reasonable length of time,
then that implies you'll need
a renewal of the hosted cert every year  you make new ROAs.    E.g.  To
make ROAs valid for  9+ years,
then   you're   also then  needing to renew   the hosted cert every year
 to keep its expiration a
sufficient number of years ahead into the future.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20171101/52b38765/attachment.html>

More information about the arin-tech-discuss mailing list