New comment by stderr5150 in "The Heartbleed Bug"

stderr5150 — Wed, 09 Apr 2014 04:16:45 +0000

I disagree. Revoking the certificate is a requirement. If you re-key without revoking, that means someone who has stolen your key could impersonate you until the validity period expires. So revoking is a needed if you want to inoculate yourself against a potential active man-in-the-middle attack.

If you want to be secure, make sure the certificate based on your old key is showing up in the certificate revocation list (CRL), and/or any online certificate status protocol (OCSP) servers it specifies.

Hacker News: stderr5150

New comment by stderr5150 in "The Heartbleed Bug"