On Sat, Sep 10, 2016 at 06:33:59PM -0700, xiaoyi...@outlook.com wrote: > But is it a OK behavior if a CDN vendor doesn't immediately revoke the old > cert after I stop using its CDN service?
I don't think it's automatically terrible behaviour. Plenty of people let certificates lapse rather than actively revoking them when they stop using the name, it doesn't appear to have caused massive problems. As long as the private key for the certificate is appropriately protected for the lifetime of the certificate, I can't think of any particular problem with it. That goes double when it's a multi-sAN cert -- revoking the cert and reissuing it with everything the same except for one less sAN doesn't seem worth the hassle. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy