On Sat, Dec 02, 2000 at 12:05:46PM +0000, Ben Laurie wrote:
> Bodo Moeller wrote:
>> Peter Gutmann <[EMAIL PROTECTED]>:
>>> Mats Nilsson <[EMAIL PROTECTED]>:
>>>> Should a self-signed root certificate ever need to be revoked, shall it list
>>>> itself in its usual CRL(s), as the last thing it does before it is thrown
>>>> away, or is it sufficient (from its users' standpoint) that it simply ceases
>>>> to issue more CRLs?
>>> Noone knows (and I don't just mean that as a shoulder-shrug response, I mean
>>> that noone, at least on the PKIX list, actually knows what's supposed to happen
>>> in this situation). The behaviour from current apps is that some will accept a
>>> self-revocation, some will reject it, and a small number will crash or fail in
>>> some other way.
>> I like the idea of having the application crash in such a situation:
>> Obviously the application developers noticed the similarity to the
>> Epimenides paradoxon [1] and did not see any other way out except having
>> the program vanish in a puff of logic.
> Eh? Surely if a cert revokes itself then one of two things has happened:
>
> a) The legitimate owner revoked it
>
> b) Someone else got hold of the private key and revoked it
>
> in either case, you want the cert to be revoked, right?
Sure. As I explained, there's nothing paradoxical about the
Epimenides paradoxon either; but still it's often cited as a
prototypical paradoxon.
(I had hoped for someone to point out that the Greek did not
have a senate ...)
--
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
