On Tue 2019-01-08 12:33:45 -0500, Russ Housley wrote:
> Guidance on the transition from one trust anchor to another is
> available in Section 4.4 of [RFC4210]. In particular, the oldWithNew
> and newWithOld advice ensures that relying parties are able to
> validate certificates issued under the current Root CA certificate
> and the next generation Root CA certificate throughout the
> transition. Further, this advice avoids the need for all relying
> parties to make the transition at the same time.
I'm not convinced that this analysis is correct, as i tried to explain
in more detail in Message-Id: <87k1jlnxnu.fsf@xxxxxxxxxxxxxxxxx>.
I hope my analysis in that e-mail is wrong, but i've received no
feedback on it yet.
Maybe some additional guidance about which parties should ship which
certificates in which contexts would clarify matters? Or maybe i'm just
missing something obvious to other people -- i'd be happy to see a
clarification.
Regards,
--dkg
Attachment:
signature.asc
Description: PGP signature
