>can CRLs be signed by a certificate that is not the CA certificate
No.
>What do you think ???
Very very bad idea. There are various alternative ways of getting fast
online status; OCSP is one. Valicert has a cute patenteded data structure
called CRT's that can be effective. Entrust has a way of "delegating" CRL's
that might work.
Look around. Don't invent a new mechanism; it is not needed.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
