> On Jan 10, 2019, at 2:15 PM, Salz, Rich <rsalz@xxxxxxxxxx> wrote: > >> If both checks succeed, then the potential Root CA certificate is >> added to the trust anchor store and the current Root CA certificate is >> removed. > > I suggest adding "after an appropriate amount of time (such as no old certificate chains being in use)." > > Does that solve the issue? There are two cases. In one case, there is an enterprise directory system, and there is no concern with the discovery of the old-in-new and the new-in-old certificates. The old certificate can be removed without any concerns in this situation. In the second case, there is no appropriate directory, and keeping the old certificate for some amount of time would prevent the issue raised by DKG. Russ
