Re: Why is privateKeyUsagePeriod deprecated?

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

"Al Arsenault" <aarsenau@xxxxxxx> writes:

>This brings up what is to me an interesting question:  exactly what service
>do you think you're providing with this signature validation long after the
>fact, 

Compliance with legal/contractual requirements.  To given another example of
this, I know of applications where the PKI software reads old stored CRLs off
disk and checks the cert against them before every use because that's what the
standard requires.  It's complete bollocks, they're just going through the
motions for form's sake, but that's what the standard requires, so that's what
they do (the standard doesn't say "You must perform a sensible revocation/
validity check", it just says "You must check certs against a CRL", so that's
what happens, even if it's one issued a month ago, and the cert has already
been checked against it 873 times before).

>and why do you think it's important?

See above.

>I can only think of about three reasons why one would want to do a signature
>validation months after an order was signed:
>
>  - as part of a business audit;
>  - as part of a dispute resolution process (e.g., a non-repudiation issue)
>  - because one's business processes were REALLLLY slow, and it just takes
>    that long to process an order.

You forgot:

  - Because the standard/law/trading agreement says you need to do this in
    order to be compliant.

Peter.