[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is privateKeyUsagePeriod deprecated?
Michael Ströder wrote:
> Personally I see no use of PKUP extension. How long signatures created
with
> a private key associated with a PKC can be validated should not be
specified
> in a public-key certificate. The more natural solution to me is to specify
> this in the policy and cryptographic protocol used for signing the
message.
It's NOT about signatures validity. It's about private key policy.
Unfortunately, this very useful extension becaume a victim
of misinterpretaion of it's purpose.
In practice, the private key does have a validity period, which is often
shorter
than the validity of a corresponding certificate.
The key, which is used for too long, has very high probability to become
lost,
forgotten, compromized in any other way, so this period is normally small -
a year or less.
While the certificate can last for many years.
Without this extension, we can only tell the person not to forget
to get a new certificate and dispose of his old private key
within given period of time.
Using this extension, we can force a person to do this,
because this policy is written right there, in his certificate.
CA can grant him a certificate with a simple condition:
he MUST destroy his public key before it expires.
If he forgot about his key, and did not notify CA
that the key was destroyed, well, that means the
key is potentialy compromised and certificate should be revoked.
What do you do with your credit card, when it expired?
Throw it to the trash can? No, you return it to the bank.
Certificate expiration time is like a bumper for a train.
Bumper makes sure the train doesn't do too much damage,
if the brakes are broken. But the normal situation
is when the train stops normally, never reaching the bumper.
PrivateKeyUsagePeriod is like those breaks, it is a normal way
to stop using a key when it's time.
Good luck,
Greg Chudov.