Maarten,
Others have already answered on this. I fully agree that there is no
policy requirement to revoke old certs when renewals are issued.
On the question of mailing to the JSPG list - I thought it was open.
I'll check. I agree we shouldn't advertise if its closed :=)
Cheers
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
> -----Original Message-----
> From: LHC Computer Grid - Rollout [mailto:[log in to unmask]]
> On Behalf Of Maarten Litmaath
> Sent: 10 June 2008 11:35
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] Query about normal procedure for renewal of
> host certs
>
> On Tue, 10 Jun 2008, Maarten Litmaath wrote:
>
> > 10 Jun 2008, Glenn R. Moloney wrote:
> >
> > > Can someone enlighten me as to the whether it is necessary for a
CA
> > > to revoke an existing host certificate when issuing a new cert for
> > > that host.
> > >
> > > We recently ran into trouble when our CA issued new certs for our
> hosts.
> > > The old certs would have expired within 20 days. Due to delays in
> > > notification we had not deployed the new certs when the old certs
> > > started appearing in the updated crls at sites across the grid.
> > >
> > > Our CA tells us they have to revoke the old certs when issuing the
> > > new certs. This seems a difficult requirement for sites trying to
> > > maintain a production service without 24/7 operations.
> >
> > Indeed. This is the first time that I hear about such a
requirement.
> > I suppose it is defensible from a purist interpretation of the
rules,
> > but totally impracticable. CC [log in to unmask]
>
> Hmmm, that list is only accessible to its members: then why publish
it?
> Now trying with [log in to unmask] instead...
|