Nelson B Bolyard wrote re retaining copies of old roots after their
replacement by new roots:
I recommend that for CAs whose newer root certs bear exactly the same
notBefore and notAfter dates as the older certs. In that case, it may be
necessary to retain all the relevant root certs, all marked trusted.
However, for the more common case where the newer cert does not have
identical notBefore and notAfter dates, but has either
a) a newer/later notBefore date, or
b) the same notBefore date and a newer/later notAfter date,
it is not necessary to retain the older certs.
Thanks for the advice, this answers the question as far as I'm concerned.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
