Erik Amundson wrote:
Validity periods aside, we have experimented quite a bit with putting certs on everything we possibly can, and we've found that there are a whole lot of products that can't handle root key sizes above 2048, some can't even handle anything larger than 1024.
Included in the 'can't handle your root' list are several Cisco products (some products can handle 2048, some 1024, some 4096), and many software products that use an older Java version that has a max of 2048.
This has always raised the question: Why do software authors think to implement PKI, but not think that key sizes will eventually grow over time? Seems very short-sighted to me.
Consider the hardware platforms some of these operations run on... It takes a long time to generate 1024 bit dsa keys on a 20mhz motorola 68020. Using them in a key exchange is also expnsive on such hardware... I think it's a safe assumption that there's some planned obsolence where the software and hardware elements of the platform meet in the cryptogrphic realm.
I guess the option to choose for full interoperability is 1024 keys on all certs, but that is at a sacrifice of security on your higher-level certs...
- Erik Amundson
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Joe Maimon Sent: Wednesday, September 05, 2007 9:06 AM To: North American Networking and Offtopic Gripes List Subject: PKI operators anyone?
MS-PRESS recommended design guidelines for multi-tier PKI systems for validity periods are along the lines of
8 years for the root 4 years for the "policy" 2 years for the "issuing" 1 year for the issued certificate
This is ostensibly due to fears of brute force cracking of the private keys over the root key's validity period.
Accompanied with this recommendation is one for key lengths of
4096 for the root 2048 for the policy 1024 for the issuing and for the issued.
I have found the downside to this: Constant renewals every single year of either minor or major impact.
While MS-AD pki client implementations seem to handle most of the (except for the root) resigning just fine, external implementation struggle with some details, such as "chaining up to the root" trusting (thereby only requiring them to trust the root cert) and such as trusting two different certs (for an issuing CA that gets resigned) but that have the same common name, hence loads of fun every 11 months or so.
I am about to recommend a re implementation along these lines
80 years for the root, 4096bit key 35 years for the policy, 4096bit key 15 years for the issuing, ?bit key <=5 years for the issued certificates.
Good idea? Bad Idea? Comments? Are all pki client implementation in the wild 4096bit compatible?
Thanks in advance,
Joe