On 8/12/11 02:11 AM, d...@geer.org wrote:
Another wrinkle, at least as a logic problem, would be whether you can revoke the signing cert for a CRL and what, exactly, would that mean -- particularly if the last known good date is well astern and hence the revocation would optimally be retroactive.
Is the logical answer here that you have to treat the signing cert for a CRL at the same level as the root concerned?
So a CRL-signing cert for a sub-root (generally one and the same thing) would (both) want to be revoked at the root level, that is, appear in the CRL as signed by the root. Whether it works that way in practice, I don't know. I suppose I should...
In PKI it's a fairly well established principle that the layer one up has to revoke [0]. So, when some roots needed to be revoked recently, browsers had to ship new software. Vendors are the ueber-CA. Therefore, the CRL/OCSP certs for a root can only be revoked at software level.
--dan, quite possibly in a rat hole
iang, we're all in rat holes together [0] Unlike PGP where self can revoke self; there are no layers. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography