Can you please elaborate on how would the higher-layer security infrastructure go about this? To me, it just seems impossible to do this and the issue might only be mitigated by spreading awareness by an out-of-band means but not eliminated until ofcourse, the self-signed CA certificate expires.
On Mon, Jan 26, 2009 at 9:20 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > A self-signed CA certificate (technically, a "trust anchor") cannot be > revoked via CRL. This is assumed to be a function of the higher-layer > security infrastructure which led to the trust anchor being trusted in > the first place, and is outside the scope of CRL. > > -Kyle H > > On Mon, Jan 26, 2009 at 9:17 PM, PS <mytechl...@gmail.com> wrote: > > Hi All, > > Is it possible to revoke a self-signed CA certificate? > > > > If yes, then I dont understand why it should be allowed. It does not make > > sense. The only reason a root CA would want to revoke its own certificate > is > > if its private-key might have been compromised. So, the CA would want to > > revoke its certificate and create a new CRL. > > But since the private-key is compromised, the attacker can always use the > > private-key (of the CA), and create a yet new CRL and distribute. > > > > This looks like a chicken and egg problem because you are trusting a > > CRL-list sent by a CA and the CRL mentions not to trust the very same CA > > since its certificate is revoked. What is the solution to this problem? > Any > > insights? > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >