Peter Gutmann wrote:
>
> Goetz Babin-Ebell <[EMAIL PROTECTED]> writes:
>
> >Everybody can issue a CRL.
>
> Only a CA with CRL signing enabled can issue a CRL.
Everybody who can generate a certificate with the propper flags
can generate a CRL.
But he has to find a way to let the user trust him in issuing the CRL...
> >A CA can issue a CRL with own revokated certificates but it can issue a CRL
> >with revoked certificates of other CAs (at least in X509v3...)
>
> A CA can't revoke another CA's certificates, only certificates which it has
> issued.
??
ITU-T X509 (06/97):
11.2 Management of certificates
[...]
(page 25:)
- The CA shall maintain:
[...]
b) a time-stamped list of revoked certificates of all CAs known to
the CA,
certified by the CA.
2 possible meanings:
- It maintains a CRL of certificates issued by other CAs.
- It maintains a CRL of certificates issued by CAs that use certificates
that
this CA issued.
But in the definition of a CRL I didn't find anything saying
that it can only revoke own certificates...
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]