At 1:42 PM -0800 1/12/09, Kyle Hamilton wrote: >Technically, 'expiration' is also an action taken by the CA.
No, it is an action taken by time passing. When the time in the univers is the same as the time listed as "notAfter" in the cert, the cert expires. That's it. >It's >basically saying, "I attest to the validity of this binding until this >date, *unless something extraordinary happens in the meantime*." No, that's *way* too strong. The meaning of the notAfter date is quite simple: "the date on which the certificate validity period ends". (See the subject of this thread....). A revoked certificate does not expire until after the notAfter. >They really do have the same meaning -- that the CA is not willing to >attest to the identity binding. No, they really don't have the same meaning. Revocation can happen even if the CA is willing to attest to the binding but knows that doing so is silly, such as if the CA knows that the public key has been destroyed. Similarly, a CA might still attest to the binding between the public key and the identity in a different certificate. >After expiration, the CA doesn't give >one whit about the bound key -- and the entity which owned the >privatekey in question could hand that key over to someone else, and >the CA doesn't need to do anything at all because it has already >acted. Quite right. >Remember, *everything* in the certificate is an action of the CA. It >is the final actor in the creation of the certificate, and it is the >final actor in the revocation of the certificate. An action at birth is quite different than an action at revocation. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
