On 12/02/2013 08:38 PM, From Brian Smith:
Why? Could you please explain what problem would be created if the renewed certificates had a different (later) notBefore time?
Traditionally we kept same or similar start date/time when extending an existing CA certificate with a new signature and new expiration date. Like this previously issued certificates can be still verified with the new one, in particular S/MIME but not only.
An end-user certificate that has been issued before the new/extended certificate has been, can't have a earlier before-date than the issuer (or at least shouldn't). But it can still correctly chain to the new one which is usually the whole idea of such PKI acrobatics. :-)
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy