Anne & Lynn Wheeler wrote:
Nelson B <[EMAIL PROTECTED]> writes:
Ah, I was wondering when paradoxes would enter this discussion.
CA self revocation: Everything I say is a lie.
"I think not" said Descartes, who promptly vanished.
the original scenario was that CA could only assert that they were no
longer valid ... they could never assert the reverse. So only a valid
CA could declare themselves no longer valid ... or bad guys that had
compromised the private key could declare the CA no longer valid ...
but the inverse couldn't be asserted.
By signing a CRL that does not include a particular cert's serial
number, or by signing an OCSP response that says this cert's serial
number is still valid, a CA makes the statement that the cert in
question is not revoked. As I have already explained, if the CA key was
compromised, anyone could use it to make such incorrect statements .
Thus, one could never rely on this "is valid" statement.
A revocation checking protocol that only would only allow an "is
revoked" response wouldn't be very useful, now, would it ? If it
existed, you would already know the answer before you made the query, so
why even make the query ?
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
