Phineas visits a .bit domain with TLS, but gets an error due to the system date/time being wrong. CryptoAPI caches the AIA URL's.
Phineas uninstalls and reinstalls ncdns-nsis, and fixes his date/time. By reinstalling ncdns-nsis, Phineas has rotated his Encaya keys.
Phineas now tries to visit the same .bit domain again.
Unfortunately, this results in an inconsistent state between the CryptoAPI AIA cache (which contains a Domain AIA Parent CA that is signed by the old Encaya key) and Encaya (which contains a .bit TLD CA with the new Encaya key). The result is that CryptoAPI will think the ECDSA signature on the Domain AIA Parent CA certificate is invalid.
In theory, the AIA cache will expire and this will fix itself, but the AIA cache does not appear to expire very quickly -- I waited an hour or so and it didn't help. However, we can flush the cache instantly by running this:
certutil -URLcache http://aia.x--nmc.bit/ delete
We should probably make ncdns-nsis run this command as part of the Encaya uninstallation routine. That ensures that whatever AIA cache mess was left by Encaya is gone when Namecoin is uninstalled.
Imagine the following chain of events:
Unfortunately, this results in an inconsistent state between the CryptoAPI AIA cache (which contains a Domain AIA Parent CA that is signed by the old Encaya key) and Encaya (which contains a .bit TLD CA with the new Encaya key). The result is that CryptoAPI will think the ECDSA signature on the Domain AIA Parent CA certificate is invalid.
In theory, the AIA cache will expire and this will fix itself, but the AIA cache does not appear to expire very quickly -- I waited an hour or so and it didn't help. However, we can flush the cache instantly by running this:
We should probably make ncdns-nsis run this command as part of the Encaya uninstallation routine. That ensures that whatever AIA cache mess was left by Encaya is gone when Namecoin is uninstalled.