Hi Erwann, > -----Original Message----- > From: Erwann Abalea > > Bonjour, > > While testing Apache-trunk (which will become apache 2.3.15), > including > the patch to use OpenSSL CRL validation, I've come to > disagree with what > OpenSSL does. > > My scheme is: > - CA1 is a root (trust anchor), which is now in its first > generation > (lets call it CA1g1) > - U1, U2, U3 are end-user certificates, issued by CA1 > - U1 is revoked, and the CRL is published (lets call it CRLg1)
you can't revoke a root CA by the means of a CRL. This works only out-of-band, i.e. you have to declare that the root CA in question is revoked and spread the news to all your customers. The problem here is that you can't trust a CRL when its signature key is compromised. The X.509 2008 edition category b) concept that you cite is new to me and according to my understanding of PKI this doesn't make sense, because there is no trust relationship between any self signed keys, so I can't trust that key 2 has any relationship to key 1, specially not to issue its CRLs. Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org