[arin-tech-discuss] RPKI How long to set a ROA certificate

Christopher Morrow morrowc.lists at gmail.com
Fri Jan 11 16:47:02 EST 2019 

On Fri, Jan 11, 2019 at 4:13 PM Mark Kosters <markk at arin.net> wrote:

> Hi David et. al.
>
>
>
> This is good input. The code was written to match the lifetime of the
> resource cert. We can certainly lower the default down. Is 3 years the
> consensus?
>
>
>
> Thanks,
>
> Mark
>
>
>
> *From: *arin-tech-discuss <arin-tech-discuss-bounces at arin.net> on behalf
> of David Farmer <farmer at umn.edu>
> *Date: *Friday, January 11, 2019 at 12:10 PM
> *To: *Christopher Morrow <morrowc.lists at gmail.com>
> *Cc: *"arin-tech-discuss at arin.net" <arin-tech-discuss at arin.net>
> *Subject: *Re: [arin-tech-discuss] RPKI How long to set a ROA certificate
>
>
>
>
>
> On Fri, Jan 11, 2019 at 1:13 AM Christopher Morrow <
> morrowc.lists at gmail.com> wrote:
>
>
>
> On Thu, Jan 10, 2019 at 10:29 PM Delacruz, Anthony B <
> Anthony.DeLaCruz at centurylink.com> wrote:
>
> The default using ARIN systems looks to be 10 years. That just feels like
> too long given how other certificates I interact with expire. What is
> everyone else
>
>
>
> that seems very long.
>
> I expect it might make sense to think about how long do you expect to need
> the ROA (for example)? and how often will your automation be able to update
> all objects which need to be updated? One other thing to keep in mind is
> how long do you think a 'lost' object to be usable?
>
>
>
> I agree that is long, and probably too long for the default, but it's not
> insanely long, for much of the Internet prefixes don't change very much
> once they are advertised and typically the prefixes allocated or assigned
> are the ones advertised.  The prefixes intentional advertised by our
> network have been stable for several decades, yes we have added new
> prefixes, but in the last thirty years, only one of our prefixes has had a
> more specific added to our list of intentionally advertised prefixes once
> initially advertised. The nature and longevity (more than 150 year) of our
> institution lends itself to an abnormally high level of stability,
> nevertheless for much of the Internet stability in scale of several years
> is the norm.
>
>
>
> tending to do? We’re just putting our toe in the water for this so using
> the hosted to accommodate a few customers as we research and test doing
> delegated which probably would be 2 or so years out. Would I run into
> trouble if it’s too long then switch to us running on our servers? I
> wouldn’t think so just expire it and issue new ones right? Any tips on
> running hosted for a while with intent to switch to delegated?
>
>
>
> seems correct to me, there may be more wonkery required than at first
> blush seems right, but :)
>
>
>
> I think somewhere between 2 to 5 years is reasonable and going to be
> common, probably starting out closer to 2 years and over time moving closer
> to 5 years as everyone gains experience. But if you are just dipping your
> toes in the water 1 or 2 years seems perfectly appropriate.
>
>
>
> I'd like to see ARIN change the default to 3 years, 10 year is way too
> long for the default, 10 years might be a reasonable maximum though. I'm
> suggesting 3 years to help encourage people to not use too short of time,
> but also these things need to be regularly evaluated and update too, 3
> years seems a reasonable balance of the issues, at least without additional
> knowledge of other circumstances involved.
>
>
>

Maybe the question to ask is: "What is this cert doing, what happens if you
lose control of the key material for it?"
That should guide how long a certificate could be outside of your
control... and thus the length of validity of the cert?


> --
>
> ===============================================
> David Farmer               Email:farmer at umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-tech-discuss/attachments/20190111/500436bc/attachment.html>

More information about the arin-tech-discuss mailing list