When a certificate changes, CP will examine the new certificate and rate the likelihood that it indicates some kind of attack. For example, CP tries to detect certificates that were replaced because they were near to their expiration, and rates that change appropriately.When a certificate is replaced, a keypair certified by the old certificate could be used to sign the new certificate. Then you'd be able to check that the new certificate was issued to the same person, in some sense, as the old certificate. This is an additional check, as well as choosing which CAs to trust.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds