|
|
On Wed, 02 Mar 2005 15:01:58 +0000, Nik wrote: > Q1: Except for guaranteeing commercial certificate authorities continued > revenues, what is the case for making the various certificates expire? Let me start with a few examples: - Let's say that there's an attack against RSA discovered that cuts 13 bits off the effective key length (meaning that the total time for a brute force attack is less than 1/8000th of what it had been). You'll want to create new certificates with larger keys, right? Having your old keys expire provides an opportunity to recreate them with lengths that are more in-line with current standards. - Your company is disposing a bunch of old hardware -- including a server, out of commission for years, that hasn't had its HD wiped. You have a valid private key signed by your company CA on there, IT neglected to revoke the certificate when the system was decommissioned (or your CRL isn't widely used or distributed) and the key is unencrypted so your server can boot without human intervention? Oops. Valid certificates provide attack vectors -- enabling MITM attacks, ex-employees with access to your internal systems, scammers putting up servers that claim to belong to your company, and so forth. Having these certificates expire helps keep them under control -- so that the only ones out there are ones that you *want* to be there, because you kept renewing them. A key/cert pair may fall through the cracks, but even should that happen their lifetime is limited. > Q2: What does everyone else do regarding their openvpn certificates? Me? I issue 10-year certificates, and have toolage and policies for tracking which certificates are valid/revoked/etc, getting certificates that need to be revoked, and getting the CRLs out to where they need to go. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |