> 2. Limited cert lifetimes mean that if an algorithm starts to look dodgy > (e.g. as MD5 did) we can move the industry to new algorithms without > having to worry about 20-year end-entity certs. This is why we have been > pushing in the CAB Forum for shorter max cert lifetimes. It's the CAs > who want longer lifetimes!
Either a sites admins are security conscious or they aren't and if an algorithm is proven too weak then they should upgrade because they should. Having a sha512 or whirlpool 4096 bit certificate isn't going to help do anything but offer a false sense of security if they aren't security conscious and PCI regulated systems are likely to be forced to upgrade. Enforcing a change every few months may actually reduce security on many servers as their sudoers is not restrictive enough etc. and will add unnecessary burdon on good admins who could securely use a cert for >5 years. Cert updates every few minutes is bound to result in major compromises as not knowing when a certificate is issued is actually a big part of keeping the CAs mechanisms secure at present and yes obscurity is no real security but that's where we are. Not important at all but it will also mean that you cannot check out their ssl and guess if they are likely on the ball in other areas like knowing not to run X11 on a server similar to how I gauge web servers negatively if they run IIS. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security