On Thu, Jul 2, 2020 at 5:30 PM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hello Ryan, > Thanks for your detailed response. > > Just to be sure that we are in the same page. My question was about > reissuing a new CA using the same key pair, but this implies also the > revocation of the previous version of the certificate. > Right, but this doesn't do anything, because the previous key pair can be used to sign an OCSP response that unrevokes itself. This is the problem and why "key destruction" is the best of the alternatives (that I discussed) for ensuring that this doesn't happen, because it doesn't shift the cost to other participants. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
