Re: Key pair & Certificate lifetimes

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 04/28/05 

Date: Thu, 28 Apr 2005 11:20:59 -0600

vandananoSpam@nortel.com writes:
> Are the public-private key pairs supposed to have the same lifetime as
> the certificate?? I could not find any specific mention either way in
> the RFCs.

RFCs tend to address technical issues .... certificate lifetime
tends to be a business issue ... involving (at least)

* expected validity lifetime of the information certified
* expected lifetime of the private key related to the public
  key certified
* expected lifetime (non-exploit) of the CA's private key
* possibly, expected CA business lifetime

I've seen scenarios for 24hr (and even 8hr) certificates ... where the
information certified today couldn't be relied on to still be true
tomorrow.

The certificate model ... again, is the offline scenario evolving the
letters-of-credit paradigm left over (at least) the sailing ship days.
The person involved could have a credential and the relying party
relies on the credential in lieu of being able to directly contact the
authoritative agency responsible for the information.

the short-lived certificates are starting to blur the line regarding
whether the relying party would be better off directly contacting the
authoritative agency in real-time ... rather than relying on a stale,
static certificate provided by the party they were trying to validate.

there have also been a number of deployments where the relying party
went thru the motions of performing the digital certificate processing
and then, in real-time, went directly to the authoriative agency
responsible for the information anyway (making the use of a stale,
static certificate, redundant and superfluous). 

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Relevant Pages

  • Re: Timestamp service
    ... Partly I looked for a way to extend the ... lifetime of a certificate, because then I donīt need to the timestamping ... I need to sign macros in Word, the lifetime of the documents is way ...
    (microsoft.public.win2000.security)
  • Re: CA Issues 2 Year cert
    ... > When I request the certificate, it shows up as a 2 year certificate! ... There are 3 things that determine the maximum lifetime of a certificate: ... certutil -getreg ca\ValidityPeriodUnits ... -- Charles Babbage ...
    (microsoft.public.security)
  • Re: Need help on "Certificate Expiration" and "Public/Private Key Expiration"
    ... You define certificate lifetime in certificate policy (if we are talking ... The only limit is lifetime of CA server. ... You can open public key of a person and see if it is still valid. ... use Microsoft PKI, you create templates. ...
    (microsoft.public.win2000.security)
  • Re: Root CA Certificate vs Client Cert Expiration
    ... Thanks Brian. ... >> In what cases, if any, does it make sense to renew a certificate with the ... > with the same key pair at half of the CA certificate's lifetime. ... > ensures that the remaining certificate lifetime remaining for the CA ...
    (microsoft.public.security)
  • Re: Certificate Services
    ... registration of a pin/password with the registration of a public key. ... communication where the relying party is offline and has no recourse ... was some efforts in the area of relying-party-only certificate ... transactions with their private key and push the transaction, ...
    (microsoft.public.security)