Re: [pkix] Private key usage period extension

"Erik Andersen" <> Sat, 07 May 2016 05:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B33BE12D512 for <>; Fri, 6 May 2016 22:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sR6ecaaI-nOD for <>; Fri, 6 May 2016 22:53:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0D55112B036 for <>; Fri, 6 May 2016 22:53:46 -0700 (PDT)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 2201605070753418377; Sat, 07 May 2016 07:53:41 +0200
From: "Erik Andersen" <>
To: "'Directory list'" <>, "'PKIX'" <>
References: <000901d1a773$379e1680$a6da4380$> <>
In-Reply-To: <>
Date: Sat, 7 May 2016 07:53:41 +0200
Message-ID: <000001d1a824$cf6496e0$6e2dc4a0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJYEc9fvtVi9SNiQE1fwP6vqYjwqAKM1/Vknou8tEA=
Content-Language: en-gb
Archived-At: <>
Subject: Re: [pkix] Private key usage period extension
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 May 2016 05:53:50 -0000

It seem like we just leave as it is. I could suggest a new note saying
something like "This Specification does not specify any semantic associated
with this extension. This has to be defined for the individual usage".



-----Oprindelig meddelelse-----
Fra: Peter Gutmann [] 
Sendt: 07 May 2016 07:09
Til: Erik Andersen <>eu>; Directory list
<>rg>; PKIX <>
Emne: RE: [pkix] Private key usage period extension

Erik Andersen <> writes:

>This extension was included in RFC 3280 with a heavy health warning. It 
>was omitted from RFC 5280 (except for A.2).

It's been deprecated since RFC 2459.  At that time no-one was ever able to
give a coherent explanation for this that got much beyond "PKIX doesn't do
that sort of thing" [0].
>In my mind, the validity of the private key should not spread outside 
>the validity period of the certificate.

It's not meant for that, in fact it's the exact opposite, it's an extremely
useful extension for when you want to say that, for example, a signing key
is valid for one year but the certificate used to verify its signatures is
valid for ten years.  The lack of a capability for doing this has been
plaguing cert-based signatures for years, leading to all manner of
workaround hacks to deal with verifying signatures after the cert has


[0] Years later people retconned explanations for it, but none of them were 
    terribly credible.