[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate expirations...

To: Jayant Sane <jayant@xxxxxxxxxxxxxxxx>, PKIXDiscuss <ietf-pkix@xxxxxxx>
Subject: RE: Certificate expirations...
From: "Hoffman, Mort" <Mort.Hoffman@xxxxxxxxxxx>
Date: Thu, 13 Aug 1998 16:49:37 -0400
Sender: owner-ietf-pkix@xxxxxxx

In using the certificate for encryption, the certificate contains the public
key, which is used to encrypt, which should not be used after expiration.
The private key is not in any certificate at all.  The intent is that you
should not do new encryptions, but decryption with the private key is still
appropriate after the public certificate has expired.

> -----Original Message-----
> From:	Jayant Sane [SMTP:jayant@frontiertech.com]
> Sent:	Thursday, August 13, 1998 10:39 AM
> To:	PKIXDiscuss
> Subject:	Certificate expirations...
> 
> Hi,
> 
> I have been wondering about a practical problem in a PKI setup
> (certificate
> life cycle management). I am sure quite some people must have had long
> debates/discussions on this topic. I apologize in advance if I am
> overlooking something in the drafts already addressed.
> 
> Say an end user is using certificate(s) for encryption purposes. The
> certificate has finite life time. Agreeably what approach is taken on
> expiration of a certificate, for a smooth transition to the new one, could
> be a local policy (outside the purview of pki but pki may have some
> guidelines in this regard).
> 
> But I have'nt been able to come up/think of a practical/reasonable
> solution.
> The user would need access to the earlier encrypted documents. Decrypting
> them with the old one (when it is about to expire) and re-encrypting with
> new one do not seem very practical.
> 
> People talk of certificate renewals. Would renewal in this context mean
> renewing just the certificate (while keeping the same key). But then using
> the same key forever is not advisable too.
> 
> If I say that the encryption keys be backed up so that they are available
> whenever needed, then I can use new certificates for encryptions as
> earlier
> ones expire. Problem here is if in case I wish to un-earth some ancient
> encrypted document, I would need a certificate which has long expired (and
> the underlying crypto software wont allow me to use it despite the fact
> that
> I have the private keys for it). So would I need to get a certificate
> again
> using the same public key (some sort of late renewal) temporarily for the
> purpose?
> 
> Other option is : since my end objective is to get to the document, I
> would
> forget about certificates and directly use the relevant keys(which I would
> have backed up) for decryption. Technically this seems very much possible.
> Question is : Is it ok to indulge in such practices when PKI is in
> picture?
> 
> Thanks for reading thru. Any suggestions/pointers/comments would be
> appreciated.
> 
> Regards,
> Jayant

Prev by Date: x.509 v3 Certificates and Compatbility
Next by Date: RE: ldapv2-schema and CA Certificates
Previous by thread: Certificate expirations...
Next by thread: RE: Key Usage in ISO 15782
Index(es):
- Date
- Thread