[email protected] <[email protected]> writes: >I explained the rollover certificate process outlined in RFC 4210 by signing >the old public key with the new private key and the new public key with the >old private key.
Uhh, that stuff was a gedanken experiment dreamed up by some folks in PKIX, alongside things like PKIX path-kludge certificates, not something you're supposed to rely on in real life. I'd be really surprised if any generic implementation actually handled those things the way PKIX imagined they will. I certainly wouldn't risk deploying one of those things on the assumption that it'll be handled properly. The path-kludge in particular looks like something that was designed to make PKIs break. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
