On Sun, Mar 16, 2008 at 11:27 PM, Michael Sierchio <[EMAIL PROTECTED]> wrote:
> David Schwartz wrote:
>
> > You have to have absolute trust in any entity that will generate or store
> your private key. Thus you can trust any information in it -- anyone who
> could put in bogus information could give away your key to strangers. (By
> absolute trust, I mean with respect to anything you would use that private
> key for.)
>
> Pick a keypair, any keypair. It has existed in a mathematical sense
> since mathematics has existed, or longer, if your a mathematical
> idealist. What do you have in mind? I give them all a creation date of 0.
Since it's infeasable to store all of the possible keypairs in the
number of atoms in the universe, your assertion holds no water. They
may have existed 'forever', but since every new keypair usage requires
a new exhaustive search, realistically it can be viewed as 'generated
on' the date that the person locating the two huge primes and then
performing the appropriate calculations to convert them into related
keys set them down.
> NotValidBefore and NotValidAfter are perfectly fine concepts that do not
> violate the laws of modularity, and are where they belong. These come
> from the signing authorities policy, which also may preclude key reuse
> after expiry (you can't sign with the private key after expiration, but
> verification of any messages signed in the validity window succeeds).
I've already shown that what the CA applies ('NotValidBefore' and
'NotValidAfter') do not refer to the keys themselves, but to the
binding of the identity to the public key. This is a different
concept than "the useful and valuable lifetime of the keypair", which
is a piece of policy data that arguably shouldn't be made public (and
thus included in the certification).
-Kyle H
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
