Re: Why is privateKeyUsagePeriod deprecated?

[Tony Bartoletti <azb@xxxxxxxx>]

At 09:04 PM 7/23/2003 +0400, Gregory S. Chudov wrote:

> What do you do with your credit card, when it expired?
> Throw it to the trash can? No, you return it to the bank.

Interesting.  But this assumes you can safely return the card ("bank" may 
be 2000 miles away) and here at least I doubt banks would accept the 
practice.  We are simply admonished to destroy the card upon its 
expiration, usually accomplished by slicing it into pieces.  I suppose the 
numbers could be retrieved, but a lot of folks toss old statements in the 
trash as well.

You really return it to the bank?

The point here, though, is that cert-lifes are relatively short precisely 
because of concerns with continued key security.  This makes the certs "act 
like" private key usage limiters, when they are properly "key-to-owner" 
binding limiters.

In the strictest usage, one might refuse to validate a signature today if 
today is beyond the cert expiration, even though the document asserts the 
signature took place earlier (how to know w/o trusted timestamp)?  But as 
Peter points out, this is a real limitation on certificate utility, 
broached by most.

Cheers!  ____tony____


Tony Bartoletti 925-422-3881 <azb@xxxxxxxx>
Information Operations and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900