On Wednesday 25 May 2005 19:00, Nelson B wrote: > Ian G wrote: > > On Friday 20 May 2005 23:47, Jean-Marc Desperrier wrote: > >>Gervase Markham wrote: > >>>Er, given that we have no OCSP and no-one's checking CRLs, I think > >>>losing a root cert which is embedded in 99% of browsers out there would > >>>be an _extremely_ big deal. > >> > >>But OCSP/CRL can not help in case of *root* cert compromission. > >>There's nothing above it to sign the validity information. > > > > Can't it revoke itself? > > Ah, I was wondering when paradoxes would enter this discussion. > CA self revocation: Everything I say is a lie. > > "I think not" said Descartes, who promptly vanished.
LOL, very humourous :-) Still, Nelson, this is a serious question - and I'd be interested in the answer. It's not a paradox, as a self-revocation is a fairly solid signal that simply can't be rolled back; other systems seem to get on fine with it without vanishing into their own paradoxes. (If one wishes to put it in human terms, the revocation is the act of suicide, and although called many things none of them would approach paradoxical.) To be honest, it looks like a simple absence in the specs. That is, the PKI people didn't think about it in implementation terms, and left it out. It's obviously a huge lack, as it means that many markets would not use PKI due to the single point of failure aspects. I don't think this is a big issue - my own designs and code is littered with such things. "I don't know how to do X so I'll leave that until someone grumbles..." iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
