Re: [pkix] Private key usage period extension

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 06 May 2016 09:53 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A04812D561 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 02:53:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.297
X-Spam-Level:
X-Spam-Status: No, score=-5.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UB9pNARA1F8 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 02:53:08 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6624912D116 for <pkix@ietf.org>; Fri, 6 May 2016 02:53:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8D8F4BE38; Fri, 6 May 2016 10:53:06 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pj9JljMnUq0Z; Fri, 6 May 2016 10:53:05 +0100 (IST)
Received: from [10.87.49.100] (unknown [86.46.26.141]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 92E42BE35; Fri, 6 May 2016 10:53:04 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1462528385; bh=FcWHDPoHSkGAMrgZn766wFqeFt4rvWKLFxYivpyF4RQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=wiF76SRAq7qMylD9Lixb07SBv76D61s174Hd7yqChL64W13WxmK4Y7w3WBiNZrtJV 6IA5WScwKhHDo1yyAu55JXJeQFlNNk3yBzultMWVAIiWKUVU5h8j2VAKMdu5Lc0+/s 51/Hyf4yG17ZTQOZS0a34dkFsT+7foQm2l43rXh0=
To: Erik Andersen <era@x500.eu>, Directory list <x500standard@freelists.org>, PKIX <pkix@ietf.org>
References: <000901d1a773$379e1680$a6da4380$@x500.eu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <572C6980.8000808@cs.tcd.ie>
Date: Fri, 6 May 2016 10:53:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <000901d1a773$379e1680$a6da4380$@x500.eu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010401080407030602060803"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/dGjwXvWgyPLhtXQow897k8ZHNRA>
Subject: Re: [pkix] Private key usage period extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 09:53:11 -0000

Hi Erik,

I've a separate question: does anyone use this extension
or should we put it on a virtual/mental list of stuff to
be deprecated when/if someone has the energy?

S.

On 06/05/16 09:42, Erik Andersen wrote:
> X.509 has a specification of the Private key usage period extension
> (8.2.2.5). This extension is a little confusing. It has notBefore and
> notAfter specification. However, the text says:
> 
>  
> 
> The notBefore component indicates the earliest date and time at which the
> private key could be used for signing. If the notBefore component is not
> present, then no information is provided as to when the period of valid use
> of the private key commences. The notAfter component indicates the latest
> date and time at which the private key could be used for signing. If the
> notAfter component is not present then no information is provided as to when
> the period of valid use of the private key concludes.
> 
>  
> 
> With a little ill will, this can be read as the private key validation
> period may extend beyond the validity of the public key. Note 1 adds to the
> confusing, as it says:
> 
>  
> 
> NOTE 1 - The period of valid use of the private key may be different from
> the certified validity of the public key as indicated by the certificate
> validity period. With digital signature keys, the usage period for the
> signing private key is typically shorter than that for the verifying public
> key.
> 
>  
> 
> It is the word "typical" that confuses me. It implies it could be different.
> 
>  
> 
> This extension was included in RFC 3280 with a heavy health warning. It was
> omitted from RFC 5280 (except for A.2).
> 
>  
> 
> In my mind, the validity of the private key should not spread outside the
> validity period of the certificate.
> 
>  
> 
> Have I misunderstood something?
> 
>  
> 
> Erik
> 
> 
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>