Hi list.
Some philosophical questions:
Should a self-signed root certificate ever need to be revoked, shall it
list itself in its usual CRL(s), as the last thing it does before it is
thrown away, or is it sufficient (from its users' standpoint) that it
simply ceases to issue more CRLs?
Consequentially, if it should appear in its own CRL, should the certificate
also include a CRL distribution point extension field?
The X.500 directory specs (in particular X.509) outlines two attributes for
distributing CRLs through a directory: certificateRevocationList for
end-user certitificates, and authorityRevocationList for [sub-ordinate?]
CA-certs. In this light, should the self-signed root CA use the
authorityRevocationList CRL to announce its demise?
Thanks
/Mats
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
