RE: Re: Why is privateKeyUsagePeriod deprecated?

["bonny joy" <dotusadotnet@xxxxxxxxxxx>]

Dear Steve

The PKUP does operate as you note, but the cert validity period is still 
present, and in the presence of the PKUP extension, this field is 
reinterpreted to state that after the notAfter date, the cert may no longer 
be used to verify any signature, period.  That too is part of the reason for 
not encouraging use of PKUP, i.e., the need to reinterpret the cert validity 
field.



This is my view



The certificate can be used to verify the signature during the certificate 
validity period irrespective of the PKUP  , for this reason certificate 
validity period should be present



The signature should not be generated after or before  the PKUP, since the 
private key validity period is different from the certificate validity 
period , this field should be present



So why does a certificate processing part should get confused by seeing the 
2 fields , those 2 fields are meant for different purposes, First check the 
signature has been created at the valid period ,then check the validity of 
the certificate. In the case of NR the validity of the certificate is not 
having any impact ,since the thrust is on PKUP.





Regards Bonny

_________________________________________________________________
They are beautiful. They are in danger. 
http://server1.msn.co.in/Slideshow/BeautyoftheBeast/index.asp Our 
four-legged friends.