"Do not require discontinuing use of a private key due to incorrect information in a certificate."


#1

This is pulled from:

Can someone direct to the import of this statement? What does it mean in more detail? What existed, what was changed and implemented or rolled back? Is there a discussion here, or on github, with the chatter surrounding the changes?

Thanks in advance.


#2

I believe it is item 5 on page 15 of https://letsencrypt.org/documents/ISRG-CPS-May-5-2016.pdf (although there might be other corresponding changes). The old policy could be read to suggest that, if you had a certificate for example.com and example.org and you transferred example.org to someone else, not only should you have to revoke that certificate (because it’s no longer accurate), but you could never again use that same private key. However, a certificate becoming inaccurate (e.g. because the subscriber no longer controls a particular domain name) is not the same kind of thing as a private key compromise, and so there’s no reason to always require a change of private key in the former case.