To reissue a cert without revoking the previous one is like a half-baked cake. Actually, more like a cake that was never placed in the oven - a complete mess of runny eggs with dry flour and inedible. As long as they don't revoke the cert, the attacker could still use it along with its private key (which they potentially stole from you) to do an MITM attack.
It doesn't make sense.
What if a party is harmed by the compromised certificate? Legally whose fault is it if the CA replaced the compromised certificate but failed to revoke it as well?
2 comments
[ 3.8 ms ] story [ 11.4 ms ] threadIt doesn't make sense.
What if a party is harmed by the compromised certificate? Legally whose fault is it if the CA replaced the compromised certificate but failed to revoke it as well?