On Fri, Dec 09, 2011 at 01:01:05PM -0800, Jon Callas wrote: > > > If you have a certificate issue a revocation for itself, there is an obvious, > correct interpretation. That interpretation is what Michael Heyman said, and > what OpenPGP does. That certificate is revoked and any subordinate > certificates are also implicitly revoked. It's also like making a CRL for > everything you issued.
Indeed. Non-temporal logic is a very poor substitute for temporal logic in any real-world situation. But some simple definitions should make the matter clear in any event: Q: When is a certificate valid? A: Until it is revoked, and if some other conditions are met. Q: When is a certificate revoked? A: At any time AFTER an authorized party revokes the certificate. Q: Who is an authorized party for the purpose of revoking a certificate? A: The signer of the certificate* * one can envision systems in which the rule is "...or the party identified by the certificate", too, but when talking about PKI, generally, that is not the rule that is used. Fortunately self-signed certs let us reason about this issue in a vacuum. Now the problem degenerates to the basic quarrel over retroactive revocations. But, depending what your norms are there, with appropriate choice of a temporal frame of reference it's no harder to solve. Thor _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography