|
Denis, You are right. You wrote: "PKUP could be a useful extension ...". But in RFC-3280 is: "This extension SHOULD NOT be used within the Internet PKI." (section 4.2.1.4). It is problem.
Libor
> -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] > Sent: Wednesday, July 30, 2003 11:07 AM > To: dostalek@xxxxxx > Cc: ietf-pkix@xxxxxxx > Subject: Re: Why is privateKeyUsagePeriod deprecated? > > Libor, > > (...) > > Yes. PKUP could be a useful extension for self-signed certificates, *if* > the > Subject Information Access extension defined in section 4.2.2.2 from RFC > 3280 is also used. In that case, the id-ad-caRepository OID SHALL be used > to > indicate in which repository the CA publishes its certificates. > > Denis > > > From my point of view, PKUP could be an useful extention of CA certs. > > CA must issue its new cert long time before expiration of its own > > certificate (this period is min of max of the time validity of issued EE > > certs). > > > It means: After issuing new CA cert (new-new) the old CA cert (old-old) > > is still valid but an appropriate old private key of the CA is not used > > henceforth. This private key should be authoritative erased when > > the new certificate CA is issued. Lifetime of private key is shorter > > than the validity period of the certificate. This lifetime of private > > key could be indicated in PKUP. > > > Today, the lifetime of private key is indicated in the certificate > > policy (CP). Unfortunately it is not possible to start procedure > > for downloading new CA certs (old-new, new-new and new-old) > > automatically because the certificate policy (CP) is a nonstructured > > text. In practice, the lifetime of CA private key is not even > > published in CP yet. It is published in CPS (RFC-2527) which is not > > in case of the majority of CAs public. Therefore it might by useful > > to indicate this information in the PKUP. > > > Libor Dostalek >
|