So, my point was, there's no point in promising you'll keep OCSP going for 12 months if all your certs will expire sooner than that. After the last cert expires, shut 'em down!
No, that was for "unknown" people in the system that come along and signup and with no one verifying they are who they say they are... But my point about MF running a CRL/OCSP service after companies goes bust was a generalised one regardless which CA it is, and relates back to your comments about garentees about CAs continuing to run after the principal gets hit by a bus, when in reality all that needs to happen is the CRL/OCSP remain in operation, which in the event of a CA going bust MF might want to take responsibility for the running of a serivce such at this, if it were deemed that this was a good idea... I'm just thinking out loud about the fact that companies are going bust left right and centre, and how to ensure their CRL/OCSP remains accessable till the last certificate they issued expires... Although the problem with this is how does a user revoke an existing certificate between a CA ceasing operation and their certificate expiring...
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
