Discussion on key lifetimes and guidelines on revocation of X509 certificates etc.
proposed rules on validity by @dirkx :
Rule 0 a certificate needs to be valid when it signs.
Rule 1 the DSC needs to be valid longer than anything it signs. so the DSC expiry date must be >= than the document it signs.
Rule 2 the CSCA needs to be valid longer than any DSC it signs.
Rule 3 if any certificate has a shorter 'key usage period' - then the signature needs placed in that period.
In general you already open/start with the next CSCA well before the previous one runs out (ie. at last date minus your longest DSC/longest valid document).
Discussion on key lifetimes and guidelines on revocation of X509 certificates etc.
proposed rules on validity by @dirkx :
In general you already open/start with the next CSCA well before the previous one runs out (ie. at last date minus your longest DSC/longest valid document).