Steven M. Bellovin wrote:
The question about root key lifetime turns not just on the security issues but on how easy it is to change the root key, either routinely or in event of a compromise. To a first approximation, no certificate acceptor *ever* changes its notion of root keys. In that case, the question is how many acceptors you have, what their lifetime is, and how easily you can be one of the rare people who does change the root. That's why browsers have long-lived certificates built in -- that list rarely changes. You suggest an 80-year lifetime for your root key. How many of your current devices do you expect to be using in 80 years? I thought so...
Hopefully none, at half-life. Thats the point.
Beyond that, at this point I would not issue any certificates that expire after 03:14:07 UTC on Jan 19, 2038. Doing otherwise is just asking for trouble. The reason is left as an exercise for the reader.
This is actually a good point. Epoch rollover? Are you suggesting that any cert set to expire after the epoch may tickle issues now?
So -- I haven't answered your questions at all. Instead, I've asked questions of my own.
--Steve Bellovin, http://www.cs.columbia.edu/~smb