On Tue, 10 Jun 2008, Maarten Litmaath wrote:
> 10 Jun 2008, Glenn R. Moloney wrote:
>
> > Can someone enlighten me as to the whether it is necessary for a CA to
> > revoke an existing host certificate when issuing a new cert for that
> > host.
> >
> > We recently ran into trouble when our CA issued new certs for our hosts.
> > The old certs would have expired within 20 days. Due to delays in
> > notification we had not deployed the new certs when the old certs
> > started appearing in the updated crls at sites across the grid.
> >
> > Our CA tells us they have to revoke the old certs when issuing the new
> > certs. This seems a difficult requirement for sites trying to maintain a
> > production service without 24/7 operations.
>
> Indeed. This is the first time that I hear about such a requirement.
> I suppose it is defensible from a purist interpretation of the rules,
> but totally impracticable. CC [log in to unmask]
Hmmm, that list is only accessible to its members: then why publish it?
Now trying with [log in to unmask] instead...
|