Communications of an SE, for example an embedded universal integrated circuit card (eUICC), may be authenticated using PKI techniques. Certificates used for authentication and confidentiality purposes can be generated by a trusted certificate issuer (CI). A public-key certificate may also be referred to herein simply as a certificate.
A user may store a copy of a certificate, where the certificate holds the name of a given party (user identity). The public key recorded in the certificate can be used to check the signature on a message signed using a PKI private key of the given party. A user or message recipient may use an on-line protocol such as on-line certificate status protocol (OCSP) to determine if a certificate is valid.
A digital signature is authentication data that binds the identity of the signer to a data part of a signed message. A certification authority (CA) is a trusted third party whose signature on a certificate vouches for the authenticity of the public key of the associated user identity. If the private key of the identified user becomes compromised, all holders of the certificate need to be notified. Notifying can be done, for example, with a certificate revocation list (CRL). Recipients of the CRL no longer trust messages signed with the corresponding public key of the identified user.
Also, a public-key certificate may expire at a certain point in time. So, separate from the compromise issue, there is a need to improve recognition of expired certificates. Generally, time-variant parameters can be used in identification protocols to counteract replay attacks and to provide timeliness guarantees.