>The only reason to preserve the old private key is >if there is something out there signed with it and >if this is the root CA and its public cert has expired >you really shouldn't allow anything out there to remain >valid anyway. By issuing a new cert with the old key you >are actually allowing old certificates possibly to validate.
Maybe I'm being dense, but I can't see the harm. If those old certificates are still inside their validity period, what harm is there in having them validate? They're *valid*, after all. The only arguments I can see are all related to more time to compromise the same private key, for example: 1) The original private key might have gotten out somehow or misplaced somewhere. Revalidating the same key gives more time for the mislayed key to get in evil hands. 2) The original private key might have been stored somewhere with poor encryption, say with a simple English word or small number of digits encrypting it. Having the same key be valid for longer allows more time for an attack on the key's encoding. 3) There might be a slow leak somewhere gradually giving information about the key, say by some kind of timing attack. 4) The PK algorithm itself can be broken given enough time to derive the private key. Reusing a key gives more time for that. There may be some reason I'm not thinking of, but that valid certificates will validate doesn't seem to be a problem. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
