Bad form to reply to your own email, but I will save you the obvious question: why can I ignore one requirement (to shorten the lifetime of the certificates) and not the other (to not issue a CRL). I expect to get away with the normal lifetime by implementing a streamlined RA approval process which, unlike current renewals, is disassociated from the signing process. Secondly, there will be an audit of the currently rolled over certificates. There are a lot that have been reissued that should not have been (usually because the one they replace should itself have been revoked). Thirdly, the important thing (more from a political perspective than a technical one) was to not use the _root_ key - this is the one our external grid friends were worried about. But I do have some explaining to do next time there is a PMA meeting... I am also pondering how to improve communications; there is a fair bit of stuff happening behind the scenes which you may not care about but maybe you should have the option to decide. Thanks --jens