A certificate carries a pair of date and time indications, indicating the start and end of the time period over which a certificate is intended to be used. The duration of the interval may be constant for all user certificates issued by a given CA or it might differ based on the nature of the user's affiliation. For example, an organization might issue certificates with shorter intervals to temporary employees versus permanent employees. It is recommended that the UTCT (Coordinated Universal Time) values recorded here specify granularity to no more than the minute, even though finer granularity can be expressed in the format. (Implementors are warned that no DER is defined for UTCT in X.509, thus transformation between local and transfer syntax must be performed carefully, e.g., when computing the hash value for a certificate. For example, a UTCT value which includes explict, zero values for seconds would not produce the same hash value as one in which the seconds were omitted.) It also recommended that all times be expressed as Greenwich Mean Time (Zulu), to simplify comparisons and avoid confusion relating to daylight savings time. Note that UTCT expresses the value of a year modulo 100 (with no indication of century), hence comparisons involving dates in different centuries must be performed with care.
The longer the interval, the greater the likelihood that compromise of a private component or name change will render it invalid and thus require that the certificate be revoked. Once revoked, the certificate must remain on the issuer's CRL (see Section 18.104.22.168) until the validity interval expires. PCAs may impose restrictions on the maximum validity interval that may be elected by CAs operating in their certification domain (see Appendix B).