[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Mehner, Carl Carl.Mehner at usaa.com
Tue Feb 21 21:38:00 UTC 2017 

To Ryan’s point on relevance, even if it were relevant to the arguments in play, that document says 1-2 years for an authentication key (what I would classify this as) or Private Key Transport Key / Public Static Key Agreement Key (in the event of RSA key exchange); 13 or even 15 months falls into the NIST timeframe, 27 – 39 months does not.

I would also agree with Peter’s assertion that most organizations would not (by software defaults or by security policy) re-use keys between certs.


From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin via Public
Sent: Tuesday, February 21, 2017 2:46 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; Peter Bowen <pzb at amzn.com>
Cc: Dean Coclin <Dean_Coclin at symantec.com>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Not sure, I will pass on the question to ATT.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Tuesday, February 21, 2017 3:18 PM
To: Peter Bowen <pzb at amzn.com>
Cc: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Dean,

Can you share whether or not that was the case for AT&T?

On Tue, Feb 21, 2017 at 11:43 AM, Peter Bowen <pzb at amzn.com<mailto:pzb at amzn.com>> wrote:
   Many organizations have policies to not re-use keys between certificates.  Dropping the validity period therefore effectively drops the key usage period.

      On Feb 21, 2017, at 10:54 AM, Ryan Sleevi via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

      This doesn't seem particularly relevant - I haven't heard any suggestion that this is about ensuring frequent key rotation, as opposed to all the other policies and practices being attested to in conjunction with the keys.

      On Tue, Feb 21, 2017 at 10:52 AM, Dean Coclin via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
         Posting on behalf of AT&T:

         AT&T typically looks to NIST for guidance and reference on industry standards, see page 45 of the attached (NIST SP800-57-Pt1R4) document.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170221/b04557da/attachment-0003.html>

More information about the Public mailing list