Mats Nilsson wrote:
> Goetz Babin-Ebell <[EMAIL PROTECTED]> wrote:
> >You can generate a new root certificate and use it to
> >sign the new CRL which lists the old root certificate as revoked...
>
> I'm not sure one should recognize the new root ca to be a legitimate
> revoker of the orignal certificate. Isn't it so, that only the issuer of a
> certificate can revoke a certificate? (where being an "issuer" is
> equivalent to holding the private key)
No.
Everybody can issue a CRL.
A CA can issue a CRL with own revokated certificates but it can
issue a CRL with revoked certificates of other CAs (at least in
X509v3...)
When you revoke your root certificate, you could issue a CRL and
ask another CA to include your root certificate in their CRL.
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
