Re: [pkix] Managing Long-Lived CA certs

EG Giessmann <giessman@informatik.hu-berlin.de> Thu, 20 July 2017 09:23 UTC

Return-Path: <giessman@informatik.hu-berlin.de>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7546131BF7 for <pkix@ietfa.amsl.com>; Thu, 20 Jul 2017 02:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=informatik.hu-berlin.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12Qb63IK4KHO for <pkix@ietfa.amsl.com>; Thu, 20 Jul 2017 02:23:09 -0700 (PDT)
Received: from mailout1.informatik.hu-berlin.de (mailout1.informatik.hu-berlin.de [141.20.20.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED592131892 for <pkix@ietf.org>; Thu, 20 Jul 2017 02:23:06 -0700 (PDT)
Received: from mailbox.informatik.hu-berlin.de (mailbox [141.20.20.63]) by mail.informatik.hu-berlin.de (8.15.1/8.15.1/INF-2.0-MA-SOLARIS-2.10-25) with ESMTPS id v6K9N2iF023419 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <pkix@ietf.org>; Thu, 20 Jul 2017 11:23:03 +0200 (MEST)
Received: from [192.168.2.102] (p548E68C4.dip0.t-ipconnect.de [84.142.104.196]) (authenticated bits=0) by mailbox.informatik.hu-berlin.de (8.15.1/8.15.1/INF-2.0-MA-SOLARIS-2.10-AUTH-26-465-587) with ESMTPSA id v6K9N1wK023411 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <pkix@ietf.org>; Thu, 20 Jul 2017 11:23:02 +0200 (MEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=informatik.hu-berlin.de; s=mailbox; t=1500542582; bh=gD2vCHIG6E3nFhrxPuBv62Sz+Af9QujFJ3zx50ilf20=; h=Subject:To:References:From:Date:In-Reply-To; b=Mi/oTwcCv0o2qdS0ApxDbMRan7YOxRESTcfSUcCeVWb3UpXuKyhr2fuqbsaMGfGoo DbeKXuZaMfLstpPLAOSfZbH5w9eRNuRdyI6+MT3vappie/YCdPJkK18teIKghkxsBy 2jOe4eh5097m3M63voqiHxqn9cDX8kWfIZVCTMzQ=
To: pkix@ietf.org
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz> <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov> <003d01d2ffdd$35d67c70$a1837550$@x500.eu> <d032d03f-6ece-44e1-58b7-e3141f3b8e3d@openca.org> <c66ebeda-21be-93fe-f315-7d1e7f069505@gmail.com> <b474e62e-64d3-5c9f-6dc3-4f96749f5440@free.fr>
From: EG Giessmann <giessman@informatik.hu-berlin.de>
Message-ID: <3c9ca3d1-aee3-6b7c-5c4c-b701f59695e7@informatik.hu-berlin.de>
Date: Thu, 20 Jul 2017 11:22:53 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <b474e62e-64d3-5c9f-6dc3-4f96749f5440@free.fr>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.99.2 at mailbox
X-Virus-Status: Clean
X-Greylist: Sender succeeded STARTTLS authentication, not delayed by milter-greylist-4.6.1 (mail.informatik.hu-berlin.de [141.20.20.50]); Thu, 20 Jul 2017 11:23:04 +0200 (MEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/poquMH7rUGJCoK9bAtMwaeEg1dg>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 09:23:12 -0000

Just to support Denis:
The so called validity time is defined as "the time interval during
which the CA warrants that it will maintain information about
the status of the public-key certificate."
Therefore it is in fact a warranty time and not a validity time.
/Ernst.