Kyle,
Kyle Hamilton wrote:
I think we all understand that the basic concept of a root-signed
self-revocation is workable, in principle, at the information level.
There may be substantial implementation questions...
There are those who don't think so, since the operations defined at
the Root level include "revoking certificates" as well as "derevoking
certificates", via CRL.
There is the matter of the "scope" of a CRL . You may want to read about
that. See section 5 of RFC3280 .
The CRL is always signed by a given CRL signer cert, which is outside of
the CRL scope.
There is no such thing as a "suicide note" in X.509 or PKIX.
Indeed. And I'm not saying suicide notes are impractical - just that
they aren't defined by PKIX, and we probably would not want to implement
them as CRLs. At the very least they would not fit the existing
definitions for CRLs.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
