<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/31/2014 11:59 PM, Gervase Markham
wrote:<br>
</div>
<blockquote cite="mid:54540658.9010404@mozilla.org" type="cite">
There is certainly the option of treating expired short-lived
certs
differently in new browsers, and I suggested that we might do that
in
the discussion in Beijing. But that would be icing on the cake.
</blockquote>
<br>
In my opinion very important!<br>
<br>
<blockquote cite="mid:54540658.9010404@mozilla.org" type="cite">
Would you prefer it if the guidelines said that each successive
short-lived cert had to use a different key? <br>
</blockquote>
<br>
I would see an even higher risk if such keys would have to be
exchanged on a daily basis. Or pre-created and submitted to the CA
(as CSR) and stored somewhere. <br>
<br>
I'm not really a supporter of this idea, but it's obvious that each
way has its own risks. I see more risks for such (short-lived)
certificates in general, no matter which way you chose (regarding
reuse of the key or not).<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>