Key Management: General 81 In the case of symmetric keys, the transition needs to be made before the end of the keys originator-usage period. For asymmetric keys, the transition needs to be made, for example, before the notAfter date on the last certificate issued for the public key. In this case, both the private and public key shall transition at the same time. The date and time of the transition should be recorded. Transition 11: A key or key pair in the suspended state shall transition to the compromised state when the integrity of the key or the confidentiality of a key requiring confidentiality protection becomes suspect or is confirmed. In this case, the key or key pair shall be revoked. In the case of asymmetric key pairs, both the public and private keys shall be transition at the same time. The date and time of the transition shall be recorded. If the key is known by multiple entities, a revocation notice shall be generated. Transition 12: Several key types transition from the suspended state to the deactivated state if no compromise has been determined and the suspension is no longer required. Symmetric authentication keys, symmetric data encryptiondecryption keys, and symmetric key-wrapping keys shall transition to the deactivated state when the ends of their originator-usage periods have been reached. Public signature verification keys, public authentication keys, and privatepublic static key-agreement key pairs 39 transition to the deactivated state at the end of the private keys originator-usage period e.g., when the notAfter date is reached on the last certificate issued for the public key. Public ephemeral key- agreement keys and public authorization keys transition to the deactivated state if they have not been destroyed when the corresponding private keys were destroyed see transition 9. A privatepublic key-transport key pair transitions to the deactivated state at the end of the key pairs cryptoperiod e.g., when the notAfter date is reached on the last certificate issued for the public key. The date and time of the transition should be recorded.

7.4 Deactivated State

Keys in the deactivated state shall not be used to apply cryptographic protection, but in some cases, may be used to process cryptographically protected information. If the key has been revoked i.e., for reasons other than a compromise, then the key may continue to be used for 39 In the case of public ephemeral key-agreement keys, the cryptoperiod ends at the same time as that of the corresponding private ephemeral key-agreement key which transitioned to the destroyed state after use see transition 5, However, there is no actual requirement to destroy the public key immediately, so it is listed here as transitioning to the deactivated state, rather than the destroyed state. However, transitioning directly to the destroyed state would also be acceptable. Key Management: General 82 processing. Note that keys retrieved from an archive can be considered to be in the deactivated state unless compromised. • Public signature verification keys may be used to verify the digital signatures generated before the end of the corresponding private keys originator-usage period e.g., before the notAfter date in the last certificate for the public key. • Symmetric authentication keys, symmetric data encryption keys and symmetric key- wrapping keys may be used to process cryptographically protected information until the end of the recipient-usage period is reached, provided that the protection was applied during the keys originator-usage period. • Public authentication keys may be used to authenticate processes performed before the end of the corresponding private keys originator-usage period e.g., before the notAfter date in the last certificate for the public key. • Private key-transport keys may be used to decrypt keys that were encrypted using the corresponding public key before the end of the public keys originator-usage period e.g., before the notAfter date in the last certificate for the public key. • Symmetric key-agreement keys may be used to determine the agreed-upon key, assuming that sufficient information is available. • Privatepublic static key-agreement keys may be used to regenerate agreed-upon keys that were created before the end of the key pairs cryptoperiod e.g., before the notAfter date in the last certificate for the public key, assuming that sufficient information is available for the key-agreement scheme used. • Public ephemeral key-agreement keys may be used to regenerate agreed-upon keys assuming that sufficient information is available for the key-agreement scheme used. • Public authorization keys shall not be used. Keys in the deactivated state may transition to either the compromised or destroyed state at some point in time. Transition 13: A key shall transition from the deactivated state to the compromised state when the integrity of a key or the confidentiality of a key requiring confidentiality protection becomes suspect. In this case, the key or key pair shall be revoked. The date, time and reason for the transition shall be recorded. If the key is known by multiple entities, a revocation notice shall be generated. Transition 14: A key in the deactivated state should transition to the destroyed state as soon as it is no longer needed. The date, time and reason for the transition shall be recorded. Note that keys retrieved from an archive may be in the deactivated state.

7.5 Compromised State