RE: CRLs and self-signed root certs.

Mon, 04 Dec 2000 10:12:47 -0800 

I can imagine a scenario whereby an organization might choose to sign a
death notice before going out of  business. For example, suppose a
commercial CA decided to go out of business, there might be benefits to
their signing a CRL including their root certificate.

Frank

> -----Original Message-----
> From: Ben Laurie [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, December 02, 2000 7:06 AM
> To: [EMAIL PROTECTED]
> Subject: Re: CRLs and self-signed root certs.
> 
> 
> Bodo Moeller wrote:
> > 
> > Peter Gutmann <[EMAIL PROTECTED]>:
> > > Mats Nilsson <[EMAIL PROTECTED]>:
> > 
> > >> Should a self-signed root certificate ever need to be 
> revoked, shall it list
> > >> itself in its usual CRL(s), as the last thing it does 
> before it is thrown
> > >> away, or is it sufficient (from its users' standpoint) 
> that it simply ceases
> > >> to issue more CRLs?
> > 
> > > Noone knows (and I don't just mean that as a 
> shoulder-shrug response, I mean
> > > that noone, at least on the PKIX list, actually knows 
> what's supposed to happen
> > > in this situation).  The behaviour from current apps is 
> that some will accept a
> > > self-revocation, some will reject it, and a small number 
> will crash or fail in
> > > some other way.
> > 
> > I like the idea of having the application crash in such a situation:
> > Obviously the application developers noticed the similarity to the
> > Epimenides paradoxon [1] and did not see any other way out 
> except having
> > the program vanish in a puff of logic.
> 
> Eh? Surely if a cert revokes itself then one of two things 
> has happened:
> 
> a) The legitimate owner revoked it
> 
> b) Someone else got hold of the private key and revoked it
> 
> in either case, you want the cert to be revoked, right?
> 
> Cheers,
> 
> Ben.
> 
> --
> http://www.apache-ssl.org/ben.html
> 
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to