Re: [pkix] Managing Long-Lived CA certs

Carl Wallace <carl@redhoundsoftware.com> Mon, 17 July 2017 15:43 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD88131C56 for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 08:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tf5FzzYVHd2U for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 08:43:00 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D02512EC12 for <pkix@ietf.org>; Mon, 17 Jul 2017 08:43:00 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id 32so109414770qtv.1 for <pkix@ietf.org>; Mon, 17 Jul 2017 08:43:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version; bh=l0LUlUaTG9BLy7Px+UbfU6yEYKYzr3RiIkS/N/OGDbU=; b=Leh3pbYuT792zjrzkItSZirvcvvvN8EGXL/o79qJd5tgXGhW1O5UzHexhAjc0IZOM7 KeB3fZykGNREn68Be5X4Fcww5MabcbLEIBBrFheQ57Ythg8UoPjQRFui54q4Q6L9JDql PWX0CgV++1AbVhO40t/xZ+Wlt2Y/uflysNWpQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version; bh=l0LUlUaTG9BLy7Px+UbfU6yEYKYzr3RiIkS/N/OGDbU=; b=Az2N8h++jMSpJNt0u2Q8vY5J2vIS3YDqtjq7MwQmT/UTLGh4xt2xlAAyMq1yH0il1G EpyVXgHNZZV6MaC5oEMhdmmDdga3MpDbb/NVU0W+H5VM5rdDSDxTTjD3Ul+VGjKI5qWN 4wiYjZkmkTVwv+rgR/Yw7Oc95MSF5g6g2J58uvJBTzPBSUZTagU3R33UfSN4jZE3Qq3F gtsuR5WGaLqmOCYWOAppK3Cyyteb/Uq2UHVpo7pPnlKb0vL1vGoiFtf9D7hwCE6vDKJA O+xRB9HD+h5GliesljoO9GWqu/2iw9vGJUdyxn5Mh/SZuaREtNyvVC0vrtgruu9YUOwW l2zw==
X-Gm-Message-State: AIVw1114QS/mScpoq9lQInfY8UmHP+OUXNrN4QL4UpvZiCO8QEOCFTmr RehqfSEyoDc+m7l+CXo=
X-Received: by 10.237.41.225 with SMTP id o88mr29123888qtd.27.1500306179362; Mon, 17 Jul 2017 08:42:59 -0700 (PDT)
Received: from [192.168.2.27] (pool-173-66-76-215.washdc.fios.verizon.net. [173.66.76.215]) by smtp.googlemail.com with ESMTPSA id j137sm7661652qke.19.2017.07.17.08.42.57 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 17 Jul 2017 08:42:58 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.4.170508
Date: Mon, 17 Jul 2017 11:42:53 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "Dr. Pala" <director@openca.org>, <pkix@ietf.org>
Message-ID: <D5925287.981D0%carl@redhoundsoftware.com>
Thread-Topic: [pkix] Managing Long-Lived CA certs
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org>
In-Reply-To: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3583136578_14982670"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/JC_rLXzjf9qWTggl1OU33gHkr-A>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 15:43:03 -0000

Inline..

From:  pkix <pkix-bounces@ietf.org> on behalf of "Dr. Pala"
<director@openca.org>
Organization:  OpenCA Labs
Date:  Monday, July 17, 2017 at 10:19 AM
To:  <pkix@ietf.org>
Subject:  [pkix] Managing Long-Lived CA certs

>     
>  
> 
> Hi PKIX,
>  
> 
> I have a small question for the list regarding long-lived CA certificates.
> Especially in the context of device certificates, we often see the use of
> extra long-lived certificates for Root and Sub CAs (e.g., 35+ years) combined
> with limited key sizes (e.g., p256).
>  
> 
> Until we have a supported mechanism for reprovisioning devices (...), one
> possible solution for limiting the exposure of the private key would be to
> have a scoped certificate issuance period.
>  
> 
> What I am thinking about would be adding an extension that says: "This CA can
> issue certificates from up to 5 years from the validFrom, after this, just use
> it to provide revocation information". This might provide some protection in
> case the CA key is compromised after the initial 5 years of validity (e.g.,
> certificates issued after that date shall be rejected).

[CW] Wouldn't the protection need to come in the form of revocation? If the
CA key is compromised, the validity period in certificates cannot be
trusted.
>  
> 
> Does such extension exists today ? If not, could this be some work for
> LAMPS/SPASM WG ?
>  
> 
> Cheers,
>  Max
>  
>  
> -- 
>  
>  Best Regards, 
>  Massimiliano Pala, Ph.D.
>  OpenCA Labs Director
>  
>  
>  
>  
>  
> _______________________________________________ pkix mailing list
> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix