summaryrefslogtreecommitdiffstats
path: root/design/hs_pki_policy
blob: b90e145aecfc5d3c921a54767078d5f5cc9895ad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
Root CA cert valid for 6y
Root CA CRL valid for 14m
 * need ceremony at least once per y to renew CRL

KC certificates valid for 8m (verify calculation of influence on possible new CA)

CA certs valid for 1y
 Limited certificate depth to 1 (so it can't issue CA)

CA CRL valid for 1d (or even less)

End user / device certificates valid for 3m