[ksk-change] planned vs. emergency (was Re: [ksk-rollover] root zone KSK ...)

Jakob Schlyter jakob at kirei.se
Mon Sep 22 07:53:33 UTC 2014

On 22 sep 2014, at 06:02, Michael StJohns <msj at nthpermutation.com> wrote:

> There's also the occasional re-sign of a self-signed CA certificate (changing the validity time without changing keys or other contents of the CA certificate).  The new certificate is basically chained to the old certificate and replaces the old one in the browser CA trust store when its seen.


What browser implements the CA certificate update mechanism described above? My experience is that the only way the common browser CA trust stores are updated is when the static configured CAs are updated due as a result of a software update - never based on what's seen.


More information about the ksk-rollover mailing list