> Can you please elaborate on how would the higher-layer security > infrastructure go about this?
Simply put, whatever put the certificate in its trusted position is what is to remove it. If a CA says to trust a certificate, that CA can say not to. But if the certificate is self-signed, the trust came from the user who said to trust it (or some other mechanims outside the scope of the certificate verification scheme). That same mechanism is the only thing that can say to stop trusting it. > To me, it just seems impossible to do this and the issue might only > be mitigated by spreading awareness by an out-of-band means but not eliminated > until ofcourse, the self-signed CA certificate expires. It's not impossible. Just use the same technique that installed the self-signed certificate to uninstall it. If you could get it trusted somehow, why can't you get it untrusted that same way? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org