Sept. 22, 2014
7:53 a.m.
On 22 sep 2014, at 06:02, Michael StJohns <msj@nthpermutation.com> wrote:
There's also the occasional re-sign of a self-signed CA certificate (changing the validity time without changing keys or other contents of the CA certificate). The new certificate is basically chained to the old certificate and replaces the old one in the browser CA trust store when its seen.
Mike, What browser implements the CA certificate update mechanism described above? My experience is that the only way the common browser CA trust stores are updated is when the static configured CAs are updated due as a result of a software update - never based on what's seen. jakob