On Saturday, 25 June 2016 21:55:46 UTC+1, Ben Laurie wrote: > In practice, what does this mean? How does one revoke the path from > the trust anchor to the CA?
This path will involve one or more certificates and the certificates can be revoked in the usual manner by their serial number. For most modern intermediates this will mean adding them to a CRL signed by the trust anchor and listed in the original certificate itself. You seem to be focused on the idea that since the issuer is identified by DN whereas the revocation list works on serial numbers this is a disconnect, but both these facts are present in the issuer's _certificate_. If you don't have that certificate then you have no reason to believe there was ever a trust path, let alone that it's still good and unrevoked. If you DO have it, then you can see the serial number and other information to determine if it's revoked. If I have mistaken what your concern is, please spell it out. Revoking specific certificates (by serial number) rather than DNs means it's possible for a CA to revoke any certificate and then immediately issue a new certificate (with a different serial) for the same DN with different contents. You'd like to hope that a well-run CA would scarcely ever need to do that, but scarcely ever isn't the same as never, and we do not have an ecosystem of well-run CAs yet, if we ever will. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
