Re: [pkix] Private key usage period extension
Peter Rybár <peter.rybar@nbusr.sk> Fri, 06 May 2016 09:51 UTC
Return-Path: <prvs=09344e319b=peter.rybar@nbusr.sk>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93EBD12D1C7 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 02:51:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.051
X-Spam-Level:
X-Spam-Status: No, score=-0.051 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id njFvj9PVLsc9 for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 02:51:09 -0700 (PDT)
Received: from mail.nbusr.sk (mail.nbusr.sk [84.245.65.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CB8612B057 for <pkix@ietf.org>; Fri, 6 May 2016 02:51:08 -0700 (PDT)
From: Peter Rybár <peter.rybar@nbusr.sk>
To: 'Erik Andersen' <era@x500.eu>, 'Directory list' <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
References: <000901d1a773$379e1680$a6da4380$@x500.eu>
In-Reply-To: <000901d1a773$379e1680$a6da4380$@x500.eu>
Date: Fri, 06 May 2016 11:50:53 +0200
Message-ID: <201605060951.u469p536017433@mail.nbusr.sk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0025_01D1A78D.8B0F5440"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJYEc9fvtVi9SNiQE1fwP6vqYjwqJ6e0hvA
Content-Language: sk
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 6
X-NAI-Spam-Score: 0.4
X-NAI-Spam-Version: 2.3.0.9418 : core <5663> : inlines <4769> : streams <1630866> : uri <2204260>
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/fmHru4f7uIt3ID1LX4T1RVeCe3k>
Subject: Re: [pkix] Private key usage period extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 09:51:11 -0000
One key pair can be included in many certificates e.g. cross-certificates. The validity period of each cross-certificate can be different. After the time value of notAfter field of the Private key usage period extension of the Private key used for signing, any duplication of the private key are deleted. Peter From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen Sent: Friday, May 6, 2016 10:42 AM To: Directory list; PKIX Subject: [pkix] Private key usage period extension X.509 has a specification of the Private key usage period extension (8.2.2.5). This extension is a little confusing. It has notBefore and notAfter specification. However, the text says: The notBefore component indicates the earliest date and time at which the private key could be used for signing. If the notBefore component is not present, then no information is provided as to when the period of valid use of the private key commences. The notAfter component indicates the latest date and time at which the private key could be used for signing. If the notAfter component is not present then no information is provided as to when the period of valid use of the private key concludes. With a little ill will, this can be read as the private key validation period may extend beyond the validity of the public key. Note 1 adds to the confusing, as it says: NOTE 1 - The period of valid use of the private key may be different from the certified validity of the public key as indicated by the certificate validity period. With digital signature keys, the usage period for the signing private key is typically shorter than that for the verifying public key. It is the word "typical" that confuses me. It implies it could be different. This extension was included in RFC 3280 with a heavy health warning. It was omitted from RFC 5280 (except for A.2). In my mind, the validity of the private key should not spread outside the validity period of the certificate. Have I misunderstood something? Erik
- [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] Private key usage period extension Peter Rybár
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Erwann Abalea
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] [x500standard] Private key usage perio… Stefan Santesson
- Re: [pkix] Private key usage period extension Stephen Farrell
- Re: [pkix] Private key usage period extension Peter Rybár
- Re: [pkix] [x500standard] SV: Private key usage p… Stefan Santesson
- Re: [pkix] [x500standard] Re: SV: Private key usa… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Private key… Stefan Santesson
- Re: [pkix] Private key usage period extension Russ Housley
- Re: [pkix] Private key usage period extension Peter Gutmann
- Re: [pkix] Private key usage period extension Erik Andersen
- Re: [pkix] Private key usage period extension Martin Rex