On Fri, Aug 26, 2011 at 1:13 PM, Hector Santos <hsantos@xxxxxxxxxxxxxx> wrote: > Makes you wonder. Why is the concept of expiration required? Did the IETF > expire, die? Did its value as an Organization go down and only valid on a > year to year basis? As I understand it, expiration is supposed to solve the problem of someone getting their hands on your old certificates and impersonating you. In order to impersonate you, not only do they have to get into your system, they have to have done it in the last year or so. It also keeps certificates for domains from outliving domain registrations for too long. If you don't have the domain when you go to renew the certificate, the CA shouldn't renew it. I guess it also keeps revocation lists short. You only have to remember that a certain certificate was compromised until it expires, instead of forever. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf