Ondrej Mikle <ondrej.mi...@nic.cz> writes: >Matches my observations, especially when looking at CRLs of some small CAs >(company internal). I had a hunch some of those revocations could be due to >CA compromise, but from my point of view it is be only a speculation. I >appreciate sharing your experience working with CAs, it gives me a bit more >understanding in my guesswork how they operate internally :-)
So I'm going to invoke the Carl Ellison "if you think that's bad" rule (stated approximately as "whenever someone tells a horror story about PKI, someone else will come along with 'if you think that's bad...'") and mention a trusted root CA that went out of business (I tracked its root key through three resales but I have no idea who has it now) where not only did no-one who was left know how to put reason codes in CRLs, there was no-one who actually knew how to issue a CRL. So if you had a cert from them you could pretty much do whatever you wanted with it (until it expired naturally) because there was no way to revoke it. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography