Public key infrastructure (PKI) provides the basis for managing various public keys that are used to provide network security through encryption and digital signatures. PKI provides a security architecture using digital certificates, public key cryptography, and certificate authorities.
A digital certificate, usually issued by a trusted entity called a certificate authority, or policy authority, contains secure information that can be used to verify its owners identity. PKI and Certificates are governed by standards, for examples as discussed in the following references relating to the X.509 framework:
Draft Reviewed ITU-T Recommendation X.509 | ISO/IEC 9594-8. “Information Technology—Open Systems Interconnection-The Directory: Public-Key And Attribute Certificate Frames.”;
Housley, R., W. Ford, W. Polk, and D. Solo. “Internet X.509 Public Key Infrastructure Certificate and CRL Profile.” Internet Request for Comments 2459. (January 1999);
Adams, C and S. Farrell. “Internet X.509 Public Key Infrastructure Certificate Management Protocols.” Internet Request for Comments 2510. (March 1999).
The conditions for validity of a certificate are set by the certificate authority. Due to the nature of current PKI implementations, a single key or certificate is invalid only for a given set of circumstances. A previously valid X.509v3 certificate will only be considered invalid as a result of a change in either of two factors:
Certificate validity period.
Certificate revocation
In the first case, certificates are deemed invalid if they are being referenced outside the period of time between the “Not Valid Before” and the “Not Valid After” times stipulated in the “Validity” extension. This validity period is set by the issuing authority, and is typically the same value for all subjects, regardless of their cryptographic conduct.
In the second case, certificates that have been revoked are no longer considered valid. The certificate subject commonly requests revocation when the certificate is known or suspected to have been compromised. Unfortunately, the subject is not always in a position to know that their certificate has been compromised.
The union of these two situations is the current set of circumstances where an otherwise valid certificate will be deemed valid, and will not be used.
However, this set does take into consideration the volume of information protected by a given key. This factor can be critical in determining the useful lifetime of an encryption key pair.
The encryption key pair consists of the public encryption certificate and the private decryption key. The useful lifetime of an encryption key pair is inversely proportional to the amount of data protected by the corresponding provide decryption key.
As the cryptographic use of a public encryption certificate increases, several additional factors must be considered. The more a public encryption certificate is used to encrypt, the more ciphertext exists corresponding to the encryption key pair. With more information protected by a single provide decryption key, the cumulative value of that information to unintended recipients is likely to increase. As the value of the information protected by a private decryption key increases, that key will become a more tempting target for compromise. As the private decryption key becomes a more tempting target, the risk of its compromise will increase. As the risk of compromise increases, the security of the data it protects decreases. Therefore the more an encryption key pair is used, the less protection it affords its ciphertext. Additionally, if compromised, the private decryption key will be able to expose a greater amount of ciphertext to unintended recipients.
Put together, these factors mean that every time an encryption key pair is used, the risk of compromise and the amount of data put at risk increases. This effect is referred to as ciphertext devaluation.
While ciphertext devaluation is difficult to quantify, and may be nominal, over time, it is likely to become significant in situations where a key pair is used extensively in its regular life span. Clearly, this scenario is undesirable, and may even be unacceptable under certain certificate policies.
There are currently no proposed solutions to tackle the problem of ciphertext devaluation directly. The two related items of certificate validity periods and certificate revocation provide only indirect support to this issue. Both current options are described below.
Validity Periods
A certificate's validity period was originally intended to solve the problem of ciphertext devaluation by expiring a certificate before an excessive amount of time has passed. The theory here is that a key is subjected to uniform use over time, and therefore a limitation on the lifespan of a key is, by inference, a limitation on ciphertext generated by it. Assuming all certificate subjects generate ciphertext at a roughly constant and equal rate, a validity period will indirectly address the issue of ciphertext devaluation.
When this is the case, the validity period can be set deterministically, since:       (    Validity_Period    )    =            (              Maximum_Allowable        ⁢        _Ciphertext            )              (              Ciphertext_Generation        ⁢        _Rate            )      For example:Maximum Allowable Ciphertext=5000MbCiphertext Generation Rate=8Mb/dayGiving:       (    Validity_Period    )    =                    (                  5000          ⁢                                           ⁢          Mb                )                    (                  8          ⁢                                           ⁢          Mb          ⁢                      /                    ⁢          Day                )              =          625      ⁢                           ⁢      Days      
While this is a reasonable theory, in practice the amount of ciphertext a given subject will generate is not determined at the time keys are issued. Just as important, no two subjects are likely to generate the same amounts of ciphertext, and are likely to produce spikes and lulls in their output. As a result, actual ciphertext devaluation will not be a consideration in determining the validity of their keys.
To further compound the problem, certificate validity periods are commonly set to a default value for all certificates in a given Certification Authority, and exceptions to this default are rare or non-existent.
This broad-brush method of applying certificates validity periods fails to account for individual nuances. Ultimately, this limits the solutions to a “one size fits all” situation or to manually adjusting every certificate's validity period on issuance. Either way, it solves the ciphertext devaluation problem by accident, if at all.
Revocation
The existing standards also cite revocation as a method for making a valid certificate invalid.
The technical methods for marking a certificate revoked are various, but intent is always the same. Certificates are most commonly revoked when they are known or suspected to have been compromised. Not surprisingly, this is usually a reactive response to a problem, not a proactive solution.
As with validity periods, while revocation can be used to mitigate ciphertext devaluation indirectly, it was not designed for that purpose, and therefore is an incomplete answer.
Thus, unfortunately, there is currently no convention in place for tackling the issue of ciphertext devaluation in an effective or quantitative way.