Certificate expirations...

["Jayant Sane" <jayant@xxxxxxxxxxxxxxxx>]

Hi,

I have been wondering about a practical problem in a PKI setup (certificate
life cycle management). I am sure quite some people must have had long
debates/discussions on this topic. I apologize in advance if I am
overlooking something in the drafts already addressed.

Say an end user is using certificate(s) for encryption purposes. The
certificate has finite life time. Agreeably what approach is taken on
expiration of a certificate, for a smooth transition to the new one, could
be a local policy (outside the purview of pki but pki may have some
guidelines in this regard).

But I have'nt been able to come up/think of a practical/reasonable solution.
The user would need access to the earlier encrypted documents. Decrypting
them with the old one (when it is about to expire) and re-encrypting with
new one do not seem very practical.

People talk of certificate renewals. Would renewal in this context mean
renewing just the certificate (while keeping the same key). But then using
the same key forever is not advisable too.

If I say that the encryption keys be backed up so that they are available
whenever needed, then I can use new certificates for encryptions as earlier
ones expire. Problem here is if in case I wish to un-earth some ancient
encrypted document, I would need a certificate which has long expired (and
the underlying crypto software wont allow me to use it despite the fact that
I have the private keys for it). So would I need to get a certificate again
using the same public key (some sort of late renewal) temporarily for the
purpose?

Other option is : since my end objective is to get to the document, I would
forget about certificates and directly use the relevant keys(which I would
have backed up) for decryption. Technically this seems very much possible.
Question is : Is it ok to indulge in such practices when PKI is in picture?

Thanks for reading thru. Any suggestions/pointers/comments would be
appreciated.

Regards,
Jayant