>What do you mean by "the CA certificate"?
Yes, you're right; I was being too simplistic.
A CA can delegate it's CRL-signing capability via CRLDP, etc.
I think the concept of "suspension" is worthwhile in realtime environments.
Think "credit card stolen" vs. "spending limit exceeded." I think it
becomes much less useful in a static list such as originally proposed.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]