[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Peter Williams ask about re-issuing certificates in a slightly changed
manner, and their effect on previously issued certificates.
The basic model is the certificates, once issued, are valid until they
expire. Thus, a second certificate doesn't cancel any previously
issued certificates; it can only add authorization to what is already
I have toyed with the idea of having a "supersedes" field in a certificate
that gives the hash of a previous certificate that has been superseded
by this one. E.g.
( supersedes ( hash ... ) )
as an optional field in a certificate.
This is for notification only, and is not enforceable.
But I think that the "certificate cancellation notice" may be a better
stand-alone procedure for doing this, based on serial numbers and/or
hashes of certificates
( issuer )
( hash ... )
( serial-numbers base bit-array base bit-array ... )
This mechanism handles everything the "supersedes" can do, and more...
- From: Carl Ellison <email@example.com>