[arin-tech-discuss] RPKI How long to set a ROA certificate

Danny McPherson danny at tcb.net
Thu Jan 17 13:24:45 EST 2019

On 2019-01-11 16:47, Christopher Morrow wrote:

> Maybe the question to ask is: "What is this cert doing, what happens
> if you lose control of the key material for it?"
> That should guide how long a certificate could be outside of your
> control... and thus the length of validity of the cert?

Agreed, especially on the "what happens when you lose it" point..

Additionally, while prefix/origin AS binding should be more stable than 
websites even with the relatively short validity periods used for webPKI 
(which were in part an artifact of people having to pay for TLS/SSL 
certificates on an annual basis until all the freebies emerged and more 
recently the CAB forum setting max validity to ~2 years a year or so 
ago, IIRC) the overall revocation model going the way of webPKI (e.g., 
punt non-expired but revoked certs out of CRLs for various reasons, 
wholly ignore CRLs in relying party software because of startup and 
processing issues, etc..) isn't a desirable thing, methinks...  Shorter 
timeframes (e.g., 1-3 years) forces better hygiene earlier in the 
deployment process as well.


More information about the arin-tech-discuss mailing list