On 01/09/2009 11:32 PM, Benjamin Smedberg:
On 1/9/09 4:25 PM, Johnathan Nightingale wrote:
On 9-Jan-09, at 1:27 PM, Benjamin Smedberg wrote:
Perhaps it would help if we had some additional information such as:
what is
the maximum certificate expiration time? That is, if all CAs stopped
using
MD5 *today* and switched to SHA-256, how long would it be before there
were
no unexpired certificates? Is that the upper bound on how long it
would be
before we could disable MD5 and SHA1?
So as I mentioned, I've been collecting certificates for a little while,
and soon I hope to make the code + data public but there are still some
Yeah, I was hoping for a "certificates always have a lifespan of {1,2,3}
years" kind of answer, instead of a statistical one. Is there not a CA
guideline for the maximum lifespan of a certificate?
Benjamin, see
https://wiki.mozilla.org/CA:Problematic_Practices#Long-lived_DV_certificates
Anything beyond two ears should be discouraged, whereas I view anything
beyond four years unacceptable. There is at least one CA which
theoretically still can issue certs for ten years according to their
CP/CPS and have done so in the past. Mozilla is completly aware of that
btw.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
