On 05/12/2009 09:45 PM, Nelson B Bolyard:
Was Peter referring to the general requestion of a public CA having its
root removed from a browser for whatever reason? Or was he specifically
referring to a public CA having a root key compromised and thus having
the root "revoked"?
Frank, As I understand it, doubt has been cast on the value of revocation
checking of CA certs, on the grounds that CAs simply never have revoked a
CA cert, and (it is suggested) likely never will.
Maybe not revoked, but taken out of active usage? StartCom has stopped
active issuance (one year ago) and requested removal of its 1024 bit
root: https://bugzilla.mozilla.org/show_bug.cgi?id=487150
This root is scheduled for archival and future destruction.
I think this is a case where we're hoping that someone will find an example
where a real public CA actually has revoked a subordinate CA cert at some
point, demonstrating that revocation checking on CA certs would have been
of value in that case.
I think there is a big difference between an intermediate CA certificate
and a root. I'm certain some intermediates have been revoked already for
whatever reason.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
