[mmalone]

There are many use cases for internal PKI. This is just one of of them. You’re nitpicking a default.

Credential rotation is good security hygiene. To suggest otherwise is malpractice. Our toolchain makes certificate rotation trivially easy. Why not rotate frequently?

Hopefully the threat model stuff made sense. It still feels like you actively want to disagree with me, and I’m still not sure why. But I agree that this is starting to feel unproductive.

I do appreciate the discussion. I understand your position on client certs better now. Your concerns are valid.

Maybe one day we can discuss over beers or something. It feels like that would be the right atmosphere.

[tptacek]

No, arbitrarily frequent credential rotation is not universally good hygiene, and suggesting otherwise is not malpractice. Why not rotate frequently? Because doing so requires a high-availability CA, and reduces the reliability of the whole system, for marginal or no security benefit.

[mmalone]

Counterpoint: if it hurts, do it more. That’s good operational hygiene. If you’re worried about certificate rotation failing, the surest way to make that process resilient is to do a lot of it. If you’re running the smallstep toolchain, you have an HA CA. That’s a sunk cost. That’s why it defaults to frequent rotation.

Furthermore, it’s not arbitrary. Credentials leak and services come and go. Having active keys around that aren’t in use is worse than not having them around. If someone accidentally commits a key to a GitHub repo or something, it’s nice to know that key will only be useful for a little while.

If you still want to rotate less frequently, change the default.

This really has very little to do with the topic at hand, so I’m not sure why we’re debating it. Do you want me to change the default certificate lifetime in step-ca? What do you think it should be?