> -----Original Message-----
> From: Jakob Bohm
>
> On 30-07-2013 20:53, Walter H. wrote:
> > On 30.07.2013 19:51, Eisenacher, Patrick wrote:
>
> In Boolean logic, we have the following possibilities:
>
> - Root is trusted, so the revocation is valid, so the root is not
> trusted. This is a contradiction so cannot hold.
>
> - Root is not trusted, by elimination this must be true.
>
> >> You have to communicate this fact out-of-band.
> >>
> >> I never understood why some root-cas put a crldp extension into their
> >> own certs.
> >>
> > this has sense in any cert except the root (self-signed) cert.
> >
> It makes sense for any non-broken client implementation.
>
> Ideally, such roots keep an off-line copy of a pre-signed self-
> revocation CRL, similar to the procedure used by experienced PGP
> users (those who actually read the PGP 2.x manual). In case of
> combined key compromise and loss, the off-line CRL is published,
> thereby revoking the entire hierarchy.
>
> The worst case disaster scenario is a large scale armed attack on the
> center that keeps the private key. The attackers now have exclusive
> control of the private key. But a far away trusted person can still
> retrieve the self-destruction CRL and publish it through every means
> imaginable, such as S/MIME e-mails (PEM style), sending it to software
> update organisations (Microsoft, Mozilla, Apple, Google...) and for
> all but one country, getting IANA/Internic assistance to force repoint
> the DNS names of the CRL server to another server that serves up this
> CRL and a message about the compromise.
>
> The less worst case disaster scenario is an ordinary key compromise,
> where the CA still has the private key and can sign a more precisely
> dated revocation CRL and put the OCSP server in "all is revoked" mode.
>
> Unfortunately, OpenSSL is broken and will apparently ignore all such
> emergency messages.
Jakob, I don't understand your reasoning here.
You can't trust a signature of a compromised key. So if the root-ca's private
key gets compromised, you can't trust any of its issued crls and certificates
anymore. As such, pre-generating a crl for the case the root-ca doesn't have
access to its private key anymore doesn't seem to make sense. The root-ca's
only choice here is communicating this fact out of band to its customers, so
they can remove the compromised root-ca certificate from their truststores,
which is exactly what is happening today. The browser vendors even put it on an
internal blacklist, so re-adding it to the truststore won't have any effect. I
can't see where openssl is broken in this regard.
Patrick Eisenacher
:��I"Ϯ��r�m�����
(����Z+�K��+����1���x���h����[�z�(����Z+����f�y���������f���h��)z{,���
