However, I must ask the question: "Have you actually DONE this before?"
Yup. But not with SSL and browsers. You're focused on that, but I was talking in general. In reality, of course, everyone just buys a commercial SSL cert rather than try to fight with the browsers's (sic!) trust issues.
"New applications that need to know .. just add the new root to their list of trust anchors." This is not talking about servers or clients and could imply that explicit action is required AT THE CLIENT which I think we have determined is actually not necessary, at least as long as the old root doesn't interfere with the new chain validation.
By "need to know" I meant applications that need to know about *other* CA's that the new root has signed. Those clients will need to incorporate the new root into their list of trust anchors. Old clients don't.
our old local root to new local root transition was people who decided to mark the end-user certificate as trusted in their browsers rather than take the risk of trusting our root.
"If you want PGP you know where to find it."
/r$
-- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
