[ca-tf] Policy proposal

On 2010.05.03. 15:25, Gert Doering wrote:
> Hi,
>
> On Mon, May 03, 2010 at 03:19:41PM +0200, Robert Kisteleki wrote:
>> On slide 7: I think that the 3-5 year validity and the "reissue annually"
>> are mutually exclusive. The reason why you want to have 3-5 years in the
>> first place is to avoid the issues arising from not re-issuing. In other
>> word, it doesn't make sense to re-issue if the previous certificate is still
>> valid.
>
> Mabye "re-issue" is not the correct crypto word here.
>
> I know that in SSL web certificates, it's best current practice to
> issue "new" certificates a few weeks before the "old" certificate runs
> out (avoiding the term re-issue) - to give people a bit of slack to
> upgrade their end, not having a flag day.

That's one of the reasons, yes.

> I think that's the point: not having a flag day where the old cert runs
> out and a "somewhat lazy" LIR does not have time to install the new one
> in time.

What usually happens in SSL land is that the same keys are used for 
(usually) two cycles. That is, the expected lifetime of a key is two years, 
with two times one year certificates. So what's the idea in this context? If 
the very first issuance is for say 3 year, then what is the expected result 
of the re-issuance? Again 3 years? Because that'd overlap with the previous 
one for 2 years, and effectively make the key live for 4 years instead of 3.

> So how to phrase that correct in terms of X.509 crypto?

Renewal.

Cheers,
Robert


> Gert Doering