RE: Re: Why is privateKeyUsagePeriod deprecated?

[<diegofv@xxxxxxxxxxx>]

>Suppose that the certificate was issued to Bob at Acme Corp.  On 30 
>November2004, Bob was fired because it was discovered that he had been
>misappropriating office supplies.  It is suspected that he has 
>initiated and
>signed a number of EDI transactions in connection with his nefarious 
>scheme.
>

But the private key can't be used beyond on 30 June 2004.
After this time, Bob will have a new cert that will be
revoked.

>My point is this:  from what I can see, usage of the extension really
>doesn't buy you anything.  In order to accurately assess whether the
>transaction was valid at the time of signing, and assess that long 
>after the
>fact, you have to archive so much extra information that I don't see 
>whatpain is caused by the fact that the certificate has expired by 
>then. It's
>not clear to me what if anything you do differently because you have
>information directly tied to the certificate - e.g., it was revoked 
>monthslater. It doesn't save much in the way of processing to have 
>any such
>information directly tied to the certificate, versus tied to some other
>piece of information you had to archive.
>

I think that  

1) The PKUP allows to extent the signature verification by the cert 
period, 
   because the reason of revocation is discovered later and have an 
affect 
   on the validity period of the private key. But:
   1.1) The reason could be discovered after the cert period
   1.2) The gap between the private key notAfter and the cert notAfter 
have
        to be related with the lifetime of the signed document.

2) An end entity cert is a signed document issued by a CA with a 
lifetime.
   It falls on the 1.2. If the CA cert has the PKUP, the end entity 
certs
   issued within the private key CA lifetime would be verified (chain 
and CRL)
   within the validity period of the CA cert.


Kind regards,

Diego Fernandez