[pkix] Private key usage period extension

"Erik Andersen" <era@x500.eu> Fri, 06 May 2016 08:42 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A244612D7DA for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 01:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7v5PuPcJ4sjo for <pkix@ietfa.amsl.com>; Fri, 6 May 2016 01:42:32 -0700 (PDT)
Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6415412D1C9 for <pkix@ietf.org>; Fri, 6 May 2016 01:42:31 -0700 (PDT)
Received: from Morten ([62.44.134.166]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201605061042254492; Fri, 06 May 2016 10:42:25 +0200
From: "Erik Andersen" <era@x500.eu>
To: "Directory list" <x500standard@freelists.org>, "PKIX" <pkix@ietf.org>
Date: Fri, 6 May 2016 10:42:26 +0200
Message-ID: <000901d1a773$379e1680$a6da4380$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000A_01D1A783.FB29A5A0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdGncGsdQAln46LETNahao0LuhC7Nw==
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/qwMmY9GMKAgJNeWOYFUu_A0vE5k>
Subject: [pkix] Private key usage period extension
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2016 08:42:35 -0000

X.509 has a specification of the Private key usage period extension
(8.2.2.5). This extension is a little confusing. It has notBefore and
notAfter specification. However, the text says:

 

The notBefore component indicates the earliest date and time at which the
private key could be used for signing. If the notBefore component is not
present, then no information is provided as to when the period of valid use
of the private key commences. The notAfter component indicates the latest
date and time at which the private key could be used for signing. If the
notAfter component is not present then no information is provided as to when
the period of valid use of the private key concludes.

 

With a little ill will, this can be read as the private key validation
period may extend beyond the validity of the public key. Note 1 adds to the
confusing, as it says:

 

NOTE 1 - The period of valid use of the private key may be different from
the certified validity of the public key as indicated by the certificate
validity period. With digital signature keys, the usage period for the
signing private key is typically shorter than that for the verifying public
key.

 

It is the word "typical" that confuses me. It implies it could be different.

 

This extension was included in RFC 3280 with a heavy health warning. It was
omitted from RFC 5280 (except for A.2).

 

In my mind, the validity of the private key should not spread outside the
validity period of the certificate.

 

Have I misunderstood something?

 

Erik