When the infrastructure providing protection for the CA's private keys can no longer be guaranteed, then the integrity of the CA is called into question and it should be revoked. If the CA is revoked, any assertions made in End Entity certificates are no longer in force and they too should be revoked. Before decommissioning the CA, it should issue one last CRL with a validity period past the last expiry date of any End Entity certificate it has issued that includes all the remaining End Entity certs that it has issued with a reason of cessationOfOperation (5).
-Scott
Duane wrote:
So, my point was, there's no point in promising you'll keep OCSP going for 12 months if all your certs will expire sooner than that. After the last cert expires, shut 'em down!
No, that was for "unknown" people in the system that come along and signup and with no one verifying they are who they say they are... But my point about MF running a CRL/OCSP service after companies goes bust was a generalised one regardless which CA it is, and relates back to your comments about garentees about CAs continuing to run after the principal gets hit by a bus, when in reality all that needs to happen is the CRL/OCSP remain in operation, which in the event of a CA going bust MF might want to take responsibility for the running of a serivce such at this, if it were deemed that this was a good idea... I'm just thinking out loud about the fact that companies are going bust left right and centre, and how to ensure their CRL/OCSP remains accessable till the last certificate they issued expires... Although the problem with this is how does a user revoke an existing certificate between a CA ceasing operation and their certificate expiring...
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
