[ca-tf] Policy proposal

Hi,

On Mon, May 03, 2010 at 03:19:41PM +0200, Robert Kisteleki wrote:
> On slide 7: I think that the 3-5 year validity and the "reissue annually" 
> are mutually exclusive. The reason why you want to have 3-5 years in the 
> first place is to avoid the issues arising from not re-issuing. In other 
> word, it doesn't make sense to re-issue if the previous certificate is still 
> valid.

Mabye "re-issue" is not the correct crypto word here.

I know that in SSL web certificates, it's best current practice to
issue "new" certificates a few weeks before the "old" certificate runs
out (avoiding the term re-issue) - to give people a bit of slack to
upgrade their end, not having a flag day.

I think that's the point: not having a flag day where the old cert runs
out and a "somewhat lazy" LIR does not have time to install the new one
in time.

So how to phrase that correct in terms of X.509 crypto?

Gert Doering
-- 
Total number of prefixes smaller than registry allocations:  150584

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279