[arin-tech-discuss] RPKI How long to set a ROA certificate
Danny McPherson
danny at tcb.net
Thu Jan 17 13:24:45 EST 2019
On 2019-01-11 16:47, Christopher Morrow wrote:
>
> Maybe the question to ask is: "What is this cert doing, what happens
> if you lose control of the key material for it?"
> That should guide how long a certificate could be outside of your
> control... and thus the length of validity of the cert?
Agreed, especially on the "what happens when you lose it" point..
Additionally, while prefix/origin AS binding should be more stable than
websites even with the relatively short validity periods used for webPKI
(which were in part an artifact of people having to pay for TLS/SSL
certificates on an annual basis until all the freebies emerged and more
recently the CAB forum setting max validity to ~2 years a year or so
ago, IIRC) the overall revocation model going the way of webPKI (e.g.,
punt non-expired but revoked certs out of CRLs for various reasons,
wholly ignore CRLs in relying party software because of startup and
processing issues, etc..) isn't a desirable thing, methinks... Shorter
timeframes (e.g., 1-3 years) forces better hygiene earlier in the
deployment process as well.
-danny
More information about the arin-tech-discuss
mailing list