How long should i set the validity period for key recovery agent template

On my issuing CA, i'd like to create and publish a key recovery agent template.
How long should i set the validity period for key recovery agent template, what's best practice?
marc broersAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
As MS has also advised, the validity period cannot be greater than the validity period of the CA's certificate. The minimum renewal period is 80 percent of the certificate lifetime or six weeks, whichever is greater. Do note that the renewal period is for the certificate if re-enrollment is supported for your certificate template. https://technet.microsoft.com/en-us/library/cc725621(v=ws.10).aspx

Overall, do consider balancing the security vs your business priority. The latter carries heavier weight.

a)  If the validity timeline period is operationally tight e.g. shorter to ensure keys are always short and not susceptible (like the case of password policy changes of 90 days as analogy), there can be inconveniences and pre-empted activities by Ops cum IT team to prepare and plan early to ensure business as usual (Server may need update as well as client).

b) If the validity timeline is too long, security can tends to be lower - probably this is for central sub Ent. CA and well guarded against compromise or exposure. But security team may think otherwise. Validity max at 1-2 year can be a "norm" for very security sensitive appl systems but going beyond the period can still be possible, just need to assess the risk and business returns.

Overall, where the business security and OPS turnaround need to be acceptable by all supporting team and concurred by your mgmt. This should include catering sufficient time frame for the Ops cum IT teams to respond practically an unexpected outage or recurrence maintenance lifecycle. Have exercise on renewal SOP to tune the period along the way. It is not a hardcoded period per se as you can control the configuration as the stakeholder

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.