Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

The idea of using fresh certs (not necessarily short-lived) came up in the TLS WG list in the context of the OCSP multi-stapling proposal. So far the most important objection to fresh-lived certs was that it exacerbates clock synchronization issues, but I'm willing to live with that. Short-lived

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On 2012-05-02 12:23 AM, Peter Gutmann wrote: Thor Lancelot Simon writes: NIST says 2048 bit RSA keys should have a 3 year lifetime. Who here really wants to explain to customers (or investors!) that he willfully ignored that recommendation and just reused the same old key when making the CSR

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

>So does the expiry period actually matter that much? Intuitively yes, >rationally, no. That's a point that I've made as well in the past: Having said that, the idea that a short certificate lifetime is better seems to be accepted more as an article of faith than as a product of any real a

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On Wed, May 02, 2012 at 02:23:47AM +1200, Peter Gutmann wrote: > Thor Lancelot Simon writes: > > >NIST says 2048 bit RSA keys should have a 3 year lifetime. Who here really > >wants to explain to customers (or investors!) that he willfully ignored that > >recommendation and just reused the same

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

Thor Lancelot Simon writes: >NIST says 2048 bit RSA keys should have a 3 year lifetime. Who here really >wants to explain to customers (or investors!) that he willfully ignored that >recommendation and just reused the same old key when making the CSR for that >new certificate? This is standard

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On Tue, Apr 24, 2012 at 12:07:33PM -0500, Nico Williams wrote: > On Tue, Apr 24, 2012 at 11:20 AM, Marsh Ray wrote: > > On 04/23/2012 08:47 PM, Peter Maxwell wrote: > > I look at it this way: > > > > * Revocation is junk. It doesn't work. It especially doesn't work when an > > attacker wants it no

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On 24 April 2012 17:20, Marsh Ray wrote: > On 04/23/2012 08:47 PM, Peter Maxwell wrote: > >> >> On 23 April 2012 22:41, Marsh Ray > > wrote: >> >>Do you all agree with my assertion that "No one with a clue about >>PKI security would believe that a revoked

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On Tue, Apr 24, 2012 at 11:20 AM, Marsh Ray wrote: > On 04/23/2012 08:47 PM, Peter Maxwell wrote: > I look at it this way: > > * Revocation is junk. It doesn't work. It especially doesn't work when an > attacker wants it not to work. > > It is so broken that Chrome isn't even going to bother with

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On 04/23/2012 08:47 PM, Peter Maxwell wrote: On 23 April 2012 22:41, Marsh Ray mailto:ma...@extendedsubset.com>> wrote: Do you all agree with my assertion that "No one with a clue about PKI security would believe that a revoked cert provides equivalent security from misuse as a natu

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On 23 April 2012 22:41, Marsh Ray wrote: > > Thought the list might be interested in this little development in the PKI > saga. > > Do you all agree with my assertion that "No one with a clue about PKI > security would believe that a revoked cert provides equivalent security > from misuse as a na

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On 24/04/12 07:41 AM, Marsh Ray wrote: Thought the list might be interested in this little development in the PKI saga. Do you all agree with my assertion that "No one with a clue about PKI security would believe that a revoked cert provides equivalent security from misuse as a naturally-expire

Re: [cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

On Mon, Apr 23, 2012 at 5:41 PM, Marsh Ray wrote: > > Thought the list might be interested in this little development in the PKI > saga. > > Do you all agree with my assertion that "No one with a clue about PKI > security would believe that a revoked cert provides equivalent security from > misuse

[cryptography] Symantec/Verisign DV certs issued with excessive validity period of 6 years

Thought the list might be interested in this little development in the PKI saga. Do you all agree with my assertion that "No one with a clue about PKI security would believe that a revoked cert provides equivalent security from misuse as a naturally-expired cert." ? - Marsh https://bugzi