should be revoked. Before decommissioning the CA, it should issue one last CRL with a validity period past the last expiry date of any End Entity certificate it has issued that includes all the remaining End Entity certs that it has issued with a reason of cessationOfOperation (5).
Even if they were all revoked the CRL/OCSP needs to be hosted and responsive till all current certificates reach their predetermined expiry date... However as Jean pointed out insurance should cover the cost of that, but how many commercial CAs are covered for that particular outcome?
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
