Technically, 'expiration' is also an action taken by the CA. It's basically saying, "I attest to the validity of this binding until this date, *unless something extraordinary happens in the meantime*."
They really do have the same meaning -- that the CA is not willing to attest to the identity binding. After expiration, the CA doesn't give one whit about the bound key -- and the entity which owned the privatekey in question could hand that key over to someone else, and the CA doesn't need to do anything at all because it has already acted. Remember, *everything* in the certificate is an action of the CA. It is the final actor in the creation of the certificate, and it is the final actor in the revocation of the certificate. -Kyle H On Mon, Jan 12, 2009 at 1:20 PM, Paul Hoffman <phoff...@proper.com> wrote: > At 10:07 PM +0100 1/12/09, Ian G wrote: >> * RFC5280 is an implementation document and doesn't do >> semantics much, if at all. >> * It does not define the meaning of expiry or revocation. >> * By _meaning_, I mean semantics, what outsiders should take >> as the message being delivered, implying some hint as to >> action. > > So far, you are zero for three. RFC 5280 does indeed say what semantics a > relying party should use with respect to things like revocation and > expiration. (You did get as far as section 6, didn't you?) > >> * RFC5280 does suggest that they work together. > > I have no idea what this means. > >> * (I conclude that) RFC5280 suggests that: >> >> *revocation and out-of-validation have the same meaning*. > > Revocation is an action taken by a CA. Expiration happens when time elapses. > Notice how different those are. > > I'm skipping the rest because it is clear we read the same base document > completely differently. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
