Open Stack

On Thu, May 8, 2014 at 5:10 AM, Clark, Robert Graham
<robert.clark at hp.com> wrote:
> We are looking at various appliocations of short-life certificates in
> OpenStack, an idea I've discussed with a few members of the OpenStack
> Security Group previously.
>
> Has anyone done any analysis on what the shortest lifespan you can
> generally get away with, or to put it another way, what's the longest
> operation that ever happens with an individual certificate?
>
> I'm sure this will vary by service but very curious to see what others
> have done.

The longest operation seems like its a critical parameter here.
Because of the triple-handshake vulnerability (CVE-2014-1295), some
(all?) implementations bind old and new sessions. In the case of
Apple, I believe they require certificate continuity. If the
certificate changes, then that could disrupt a service. (I can only
say "could" because I'm not sure how certificate continuity is being
measured).

Jeff