[cabfpub] A question about BR Section 6.3.2
sleevi at google.com
Wed Dec 20 15:57:13 UTC 2017
There is no requirement in the CA/Browser Forum at present to require
regular key rotation, nor is there a way for that to be verifiably
implemented across all CAs, as any subscriber can present a preexisting
keypair to another CA.
So no. The limit is to the lifetime of the certificate and the reuse of
Changing keys frequently is not a function of the key strength, but a
function of pragmatic key protections. Shorter-lifetime keys, such as 90
days, coupled with automated issuance, appropriately balance the realities
of clock skew in clients versus the practical challenges of meaningful key
protection on Internet-enabled systems.
On Wed, Dec 20, 2017 at 10:45 AM, 陳立群 via Public <public at cabforum.org>
> My colleague wants to ask that from BR 6.3.2 Certificate Operational
> Periods and Key Pair Usage Periods,
> "Subscriber Certificates issued after 1 March 2018 MUST have a Validity
> Period no greater than 825 days."
> Does the life time of every key pair of OV/DV/IV SSL certificate have to
> be no greater than 825 days after March 2018?
> Not only the discussion about revalidate domain name ownership or OV, IV,
> or processing like SHA-1 sunset issues to shorten the validity. The
> customer should change their RSA 2048 bits key pairs frequently. Right?
> Li-Chun Chen
> Please be advised that this email message (including any attachments)
> contains confidential information and may be legally privileged. If you are
> not the intended recipient, please destroy this message and all attachments
> from your system and do not further collect, process, or use them. Chunghwa
> Telecom and all its subsidiaries and associated companies shall not be
> liable for the improper or incomplete transmission of the information
> contained in this email nor for any delay in its receipt or damage to your
> system. If you are the intended recipient, please protect the confidential
> and/or personal information contained in this email with due care. Any
> unauthorized use, disclosure or distribution of this message in whole or in
> part is strictly prohibited. Also, please self-inspect attachments and
> hyperlinks contained in this email to ensure the information security and
> to protect personal information.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public