Bad form to reply to your own email, but I will save you the obvious
question: why can I ignore one requirement (to shorten the lifetime of
the certificates) and not the other (to not issue a CRL).
I expect to get away with the normal lifetime by implementing a
streamlined RA approval process which, unlike current renewals, is
disassociated from the signing process.
Secondly, there will be an audit of the currently rolled over
certificates. There are a lot that have been reissued that should not
have been (usually because the one they replace should itself have been
revoked).
Thirdly, the important thing (more from a political perspective than a
technical one) was to not use the _root_ key - this is the one our
external grid friends were worried about.
But I do have some explaining to do next time there is a PMA meeting...
I am also pondering how to improve communications; there is a fair bit
of stuff happening behind the scenes which you may not care about but
maybe you should have the option to decide.
Thanks
--jens
|