Mark H. Wood wrote: > Further, it won't be a trust root until it's distributed and the > recipients are satisfied that it is legitimate. And I think that's > the real question: > > When my CA's certificate expires, can I update it without having to > deliver copies securely to everyone who is supposed to trust my CA? > > The answer to *that* question had better be "NO". It truly doesn't > matter whether you made a new certificate or updated the old one, > because in either case you must distribute it again in a trustworthy > manner or nobody will trust it.
There should be a way to issue an updated root certificate signed by the original root (while it is still valid) such that browsers provide a very simple prompt that strongly encourages you to "update" the certificate. If a root is compromised inside its validity period, you're screwed anyway. Unfortunately, as far as I know, there is no such thing. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
