RE: Re: Why is privateKeyUsagePeriod deprecated?

[Stephen Kent <kent@xxxxxxx>]

Title: RE: Re: Why is privateKeyUsagePeriod deprecated?

At 12:25 +0900 7/25/03, bonny wrote:

> Dear
> Steve
>  
> The
> following are my comments for your views
>  
> only in the context of post facto
> evaluation for NR purposes is it
> likely to be applicable
>  
> Yeah I
> agreed to this
>  
>  
>  
> it embodies the notion that we can declare
> that a signature
> generated with a private key expires at a
> future date, relative to NR concerns. this is not a good match for
> many real world contexts on which NR is an issue,e.g., my wet
> signature does not expire although an agreement may have a limited
> lifespan.
>  
>  
>  
> With
> the PKUP field we r assuring that the signatures should only be
> created within the validity period of the private key.That doesn't
> mean the signatures are not valid after the validity of the
> period.
>  
> So how
> does PKUP creates the notion , we can declare that a
> signature
> generated with a private key expires at a future
> date.It only suggests that no more signatures cant be generated.

The PKUP does operate as you note, but the cert validity period is still present, and in the presence of the PKUP extension, this field is reinterpreted to state that after the notAfter date, the cert may no longer be used to verify any signature, period.  That too is part of the reason for not encouraging use of PKUP, i.e., the need to reinterpret the cert validity field.

Steve