Frank Hecker:
Eddy Nigg wrote:
b. Is there a way in the root list (code) to signal that a root is
revoked (other than by a self-signed CRL of self)? E.g., by a flag
or something?
Not that I'm aware of.
I don't know if this is what Ian was referring to, but in theory we can
leave the root certificate in NSS but set the "trust flags" off. This
would result in rejecting any use of a certificate whose cert chain
terminated in that root. Note that we've never actually done this for
any root.
Oh right, I completly forgot about that. I think I was too concentrated
about what the CA can do instead reading the question correctly...Ian
indeed asked about NSS (he calls it root list :-) ).
Note also that (I think) in this case a user could manually set the
flags back to allow the root to be used again.
Which isn't such a good idea. I think the only flag which should be
allowed in such a case would be the email flag. But I remember from some
bug that removal of the CA root nevertheless allows to read previously
encrypted mail, provided the EE cert was marked accordingly.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
