[cabfpub] To revoke or not to revoke 1024

Rick Andrews Rick_Andrews at symantec.com
Mon Jun 24 07:39:41 UTC 2013

Eddy, that's what I assumed too, but that is not everyone's interpretation. Tom from Microsoft, for example, has similar language in his policy but he said it doesn't imply that we CAs must revoke.


On Jun 23, 2013, at 10:11 PM, "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org<mailto:eddy_nigg at startcom.org>> wrote:

On 06/23/2013 10:32 PM, From Rick Andrews:

 1.  Mozilla’s policy seems to be similar – it says that such certs must expire by January 1, 2014, but it does not mandate that CAs revoke any such certs that would live beyond that date.

Something doesn't make sense here....if the certificates MUST expire by a certain date, there can't be any certificates with that requirement after that. I assume this means that certificates that are still valid should be revoked, otherwise a CA can't guaranty that such certificates aren't used anymore (which it shouldn't have issued in first place or taken care of it they had a longer lifetime).

However the key is probably the must expire by clause which makes it binding. Meaning no more certificates with those properties after X.


Signer:         Eddy Nigg, COO/CTO
        StartCom Ltd.<http://www.startcom.org>
XMPP:   startcom at startcom.org<xmpp:startcom at startcom.org>
Blog:   Join the Revolution!<http://blog.startcom.org>
Twitter:        Follow Me<http://twitter.com/eddy_nigg>

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130624/2bf0443e/attachment-0003.html>

More information about the Public mailing list