[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is privateKeyUsagePeriod deprecated?
If this is likely to become official, I think the last sentence
needs more work in order to let RP authors know what they should do, as
well as what they may.
If the RP requires authoritative proof of the time at which the document
was signed, it SHOULD reject the signature unless the signature itself is
referenced by a time-stamped document signed by a certificate which has
not expired, especially a time stamp created by a TSA (see RFC 3161). If
the RP requires authoritative proof of the certificate's not having been
revoked, it SHOULD NOT consider the absence of an expired certificate from
a CRL which would otherwise cover it as evidence that the certificate was
not revoked unless the CRL was issued prior to the expiration of the
certificate.
Tom Gindin
Stephen Kent <kent@xxxxxxx>
07/25/2003 01:45 PM
To: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
cc: pgut001@xxxxxxxxxxxxxxxxx, Tom Gindin/Watson/IBM@IBMUS,
d.w.chadwick@xxxxxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: Why is privateKeyUsagePeriod deprecated?
At 21:02 +1200 7/25/03, Peter Gutmann wrote:
>Tom Gindin <tgindin@xxxxxxxxxx> writes:
>
> The validity period for a certificate is the period of time from
notBefore
> through notAfter, inclusive. When an RP is validating the signature
on a
> document which claims to have been signed or produced at a given past
time,
> the RP SHOULD proceed with the verification of the signature if that
time is
> within the validity period even though the time of verification is
outside
> it. If the RP requires authoritative proof either of the time at which
the
> document was signed or of the certificate's not having been revoked,
it MAY
> reject the signature.
>
>That works for me. Russ, any chance of getting this added to
bride-of-3280?
>
>Peter.
Peter,
Also, when we have SCVP in place, it make explicit provision for
asking the "was it valid then" question, which would address this
problem.
Steve