Key pair & Certificate lifetimes

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Are the public-private key pairs supposed to have the same lifetime as
the certificate??  I could not find any specific mention either way in
the RFCs.


Re: Key pair & Certificate lifetimes writes:
Quoted text here. Click to load it

RFCs tend to address technical issues .... certificate lifetime
tends to be a business issue ... involving (at least)

* expected validity lifetime of the information certified
* expected lifetime of the private key related to the public
  key certified
* expected lifetime (non-exploit) of the CA's private key
* possibly, expected CA business lifetime

I've seen scenarios for 24hr (and even 8hr) certificates ... where the
information certified today couldn't be relied on to still be true

The certificate model ... again, is the offline scenario evolving the
letters-of-credit paradigm left over (at least) the sailing ship days.
The person involved could have a credential and the relying party
relies on the credential in lieu of being able to directly contact the
authoritative agency responsible for the information.

the short-lived certificates are starting to blur the line regarding
whether the relying party would be better off directly contacting the
authoritative agency in real-time ... rather than relying on a stale,
static certificate provided by the party they were trying to validate.

there have also been a number of deployments where the relying party
went thru the motions of performing the digital certificate processing
and then, in real-time, went directly to the authoriative agency
responsible for the information anyway (making the use of a stale,
static certificate, redundant and superfluous).

Anne & Lynn Wheeler | /

Re: Key pair & Certificate lifetimes wrote:

Quoted text here. Click to load it

Not necessarily so. Good PKI systems allow for a renewal of the
certificate, whilst keeping the original keypair.


Re: Key pair & Certificate lifetimes

John wrote:
Quoted text here. Click to load it

aka the certification of the public key in a certificate is somewhat
independent operation of the certification of other information that
might also be certified in the certificate. the reasonable lifetime of
a public/private key pair can be totally unrelated to reasonable
lifetime of any other information that is also certified in a
certificate ... aka my previous posting Key pair & Certificate

investigation into certificates with things like 8hr or 24hr lifetimes
(because some of the certified information may reasonably expected to
possibly have very short lifetime).

note that PKI and certification authority infrastructure design point
was to address scenario where the relying party had not other recourse
to the actual online or offline information about the subject (aka the
offline electronic version of letters of credit from sailing ship

PKIs weren't originally viewed as substituting for situations where the
relying party might have direct access to the real information (rather
than having to relying on stale, static substitute information from

One of the scenarios about PKIs from the mid-90s ... would a relying
party prefer to know

1) only know that the subject had a bank account from a specific
institution at some point in the past (possibly several months) ... aka
the stale, static, redundant and superfluous certificate scenario


2) have a real time response from the financial institution ... not
only does the subject have a current bank account ... but the financial
institution has determined there is sufficient balance to cover the
transaction ... and has actually gone ahead and debit the account for
the amount of the transaction.

There were actually some fanctions that appeared to be convinced that
the first scenario was actually much more valuable than the second

Site Timeline