On Fri, Oct 7, 2011 at 5:56 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz>wrote:
> travis+ml-rbcryptogra...@subspacefield.org writes: > > >If we assume that the lifetime of the cert is there to limit its window of > >vulnerability to factoring, brute force, and other attacks against > >computational security properties, > > Which only occurs in textbooks. It's probably not necessary to mention > that > in real life the lifetime of a cert exists to enforce a CA's billing cycle, > but beyond that, that it's common practice to re-certify the same key year > in, > year out, without changing it. So even if you have a cert issued last > year, > it may contain a key generated a decade ago. > > >It does, however, seem to ensure a subscription-based revenue model for > CAs. > > That's it exactly. > As evidenced by the fact that the typical SSL server cert has a 1 year lifetime and the typical CA cert has a 10 yr (or longer) lifetime. The CAs are all about minimizing the hassle and cost to themselves and maximizing the cost (and thus profits) to everyone else. Unfortunately, there isn't much push back on this. IMO, there should be a browser tweak one could set to prevent the "Danger, Will Robinson! The sky is falling and evil aliens are approaching" pop-ups that the browsers seem to unanimously give. Sometimes it seems like there are in cahoots with the CAs. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography