> -----Original Message-----
> From: Walter H.
>> Eisenacher, Patrick wrote:
> >> -----Original Message-----
> >> From: Jakob Bohm
>>
> > As I said before, there's no pki-inherent mechanism to revoke a self signed
>> certificate other than to remove it from your truststore.
>
> not really; a CA that has to revoke one of their root cert. - these are
> always self signed - uses a cert that comes from another root cert., or
> this root cert itself to sign the CRL where it revokes the compromised
> root cert;
> doing so has a total different quality: the CA can't remove their
> compromised root cert from the trusted cert store of your system, but
> with the CRL they can tell your system, not to trust any cert that was
> signed by the compromised root cert;
This is not possible according to PKIX. RFC5280 states "The trust anchor for
the certification path [of the crl] MUST be the same as the trust anchor used
to validate the target certificate."
Patrick Eisenacher
:��I"Ϯ��r�m�����
(����Z+�K��+����1���x���h����[�z�(����Z+����f�y���������f���h��)z{,���
