2

As we know it is not recommended to provide permanent validity of certificate for public key. I don't know why. Could you give me some reasons ?

user40545
  • 121
  • 2
  • and this [Why is it a good idea that X.509 digital certificates have an expiry date?](http://security.stackexchange.com/questions/11949/why-is-it-a-good-idea-that-x-509-digital-certificates-have-an-expiry-date) – Silverfox Feb 03 '16 at 21:02

1 Answers1

2

Just to be precise, an X.509 certificate has a non-optional end of validity date, so you cannot make a standard-compliant "permanent" certificate. However, that date can be encoded as a GeneralizedTime which can encode instants up to the end of year 9999, which is far enough in the future to be considered "forever".

Note that there is a binary equivalent to the Y2K problem, called the Year 2038 problem, so a certificate whose end-of-validity is beyond January 19th, 2038, may incur interoperability issues. Usually, Windows systems do not have any trouble with such dates (because they use 64-bit integers for their internal time representation), but application that use old libraries from the Unix world (in particular OpenSSL), and use them poorly, may have difficulty handling such a certificate. It is thus recommended, for now, to avoid setting the end-of-validity date beyond 2037.

Anyway, the official reason for having an end-of-validity date is to support revocation. When a certificate is revoked, its serial number is added to a list called the CRL, periodically published by the CA. The serial number will need to be kept as part of the CRL as long as the certificate is "valid" (with regards to its end-of-validity date). Thus, the end-of-validity is there to allow pruning old entries from CRL; if certificates were permanent, then CRL would grow indefinitely, which could be a problem since they are supposed to be generated and re-downloaded frequently.

In an ideal world, or at least a better world, we would not use CRL but OCSP. An OCSP response is like a CRL that talks about a unique certificate. In a pure-OCSP revocation system, permanent certificates would not be an issue at all.

The less-official reason of the end-of-validity date is that it works as renewal fee due date. When a commercial CA sells certificates, the CA really loves it when customers must come back buy a renewal every year.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949