From: DP-Security-Consulting <dp.sec.consulting@xxxxxxx> Reply-To: <x500standard@xxxxxxxxxxxxx> Date: Monday, April 7, 2014 at 4:00 AM To: <x500standard@xxxxxxxxxxxxx> Subject: [x500standard] Re: Trust anchor information > <snip> > The reason is the following: the fundamental point is how long you can trust > that public key. > It is indicated in both Certificate and TBSCertificate, but not in > TrustAnchorInfo. > So I would deprecate the use of TrustAnchorInfo and recommend the use of > TBSCertificate > in the case where Certificate cannot be used. Please point to validation steps that use the validity period in either Certificate or TBSCertificate when those structures are used as a TA. Also note the validity period does appear in TrustAnchorInfo when it wraps a certificate. It is only absent when using the TrustAnchorInfo to produce a minimal encoding of the TA including only the name and key, which is not something you can do with Certificate or TBSCertificate.