On Fri, Oct 7, 2011 at 7:59 PM, Kevin W. Wall <kevin.w.w...@gmail.com> wrote: > On Fri, Oct 7, 2011 at 5:56 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: >> >> travis+ml-rbcryptogra...@subspacefield.org writes: >> >> >If we assume that the lifetime of the cert is there to limit its window >> > of >> >vulnerability to factoring, brute force, and other attacks against >> >computational security properties, >> >> Which only occurs in textbooks. It's probably not necessary to mention >> that >> in real life the lifetime of a cert exists to enforce a CA's billing >> cycle, >> but beyond that, that it's common practice to re-certify the same key year >> in, >> year out, without changing it. So even if you have a cert issued last >> year, >> it may contain a key generated a decade ago. >> >> >It does, however, seem to ensure a subscription-based revenue model for >> > CAs. >> >> That's it exactly. > > As evidenced by the fact that the typical SSL server cert has a 1 year > lifetime > and the typical CA cert has a 10 yr (or longer) lifetime. It looks like 20 to 30 years: https://spreadsheets.google.com/pub?key=ttwCVzDVuWzZYaDosdU6e3w&single=true&gid=0 (Mozilla's CA list).
Ignore the broken links to security policies and 3 year old audits. Just trust that everything is OK (CAs are busy doing other things, and some don't have time to do things like update documentation or audits). Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
