On 09.01.2009 05:32, Ben Bucksch wrote:
The OCSP responder is also allowed to forget about the revocation
status of any cert that's outside its validity period.
Our CAs would not be allowed to do that. It's fairly trivial to keep
the whole list.
P.S. That wouldn't even be strictly necessary, as I am not proposing to
dishonor the CA certificate. If the CA says it's expired, we would
consider it so, no change to now.
There's merely an *additional* requirement of the new key being signed
by the old one.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
