Replacing an expired certificate with a new one
Posted Mar 31, 2011 9:46 UTC (Thu) by epa
Parent article: Fallout from the fraudulent SSL certificates
When a certificate changes, CP will examine the new certificate and rate the likelihood that it indicates some kind of attack. For example, CP tries to detect certificates that were replaced because they were near to their expiration, and rates that change appropriately.
When a certificate is replaced, a keypair certified by the old certificate could be used to sign the new certificate. Then you'd be able to check that the new certificate was issued to the same person, in some sense, as the old certificate. This is an additional check, as well as choosing which CAs to trust.
to post comments)