RE: Why is privateKeyUsagePeriod deprecated?

["Dean Adams" <da@xxxxxxxxxxx>]

Hi,
I strongly agree with Steven's comments made above and for those reasons
would agree with deprecating privateKeyUsagePeriod.  A simpler scheme, if
one agrees with the last point that Steven made, would be to acknowledge
that the private key may be used by the subscriber up to the end of the
certificate validity for signing authenticating etc., but that Relying
Parties may continue to validate signatures for an indefinite period after
that period (whether or not that later validation can be used to support a
position or claim can only be answered by whatever governing
legal/regulatory/policy/TermsAndConditions fremework is in force.  Thus only
one validity or usage period need be specified and understood by users.

	Dean Adams

Steven Kent wrote:
--------------
I was not an author for 2459 or 3280, but my feeling is that we do
not recommend use of PKUP for several reasons:

	- it is generally confusing to folks who already have trouble
understanding PKI

	- only in the context of post facto evaluation for NR
purposes is it likely to be applicable

	- it embodies the notion that we can declare that a signature
generated with a private key expires at a future date, relative to NR
concerns. this is not a good match for many real world contexts on
which NR is an issue, e.g., my wet signature does not expire although
an agreement may have a limited lifespan.

Steve
---------------