/FYI/ Hi, We are managing experimental CAs in WIDE project. We had a CA key pair changeover experiment in June 2000, including openSSL, and wrote a report. You can get the report from the URL http://www.wide.ad.jp/wg/moca/CAkeychangeover.txt (in japanese, http://www.wide.ad.jp/wg/moca/CAkeychangeover-j.txt ) Any comments or suggestions are welcome. Especially, we are happy if openSSL developers could consider and discuss about that for next version up. Abstract: A lot of CAs have been managed for several years, but we've not yet seen a situation where CA key pair was changed due to CA certificate expiration. We had an experiment of CA key pair changeover. In this experiment, we examined how a CA key pair changeover would make influences to existing applications. As a result, we found that some of the existing applications required change of CA distinguished name at the same time of CA key pair changeover for smooth transition. Have you ever discussed whether it is important for a CA management policy to change the CA distinguished name or not? If CA name change is not allowed in some CA management policies, we think existing applications should support the CA key pair changeover without change of CA distinguished name. Please send any comments to "[EMAIL PROTECTED]". =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Mine Sakurai E-mail: [EMAIL PROTECTED] 5th Laboratory Development Laboratories, NEC Networks, Tokyo, JAPAN ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
