RFC3280 has been obsoleted by RFC5280. Aside from that, though... ...did the people who created PKIX just not realize that if a non-root certificate needs the ability to be revoked, a root certificate would also?
-Kyle H On Thu, Oct 23, 2008 at 3:39 PM, Julien R Pierre - Sun Microsystems <[EMAIL PROTECTED]> wrote: > Kyle, > > Kyle Hamilton wrote: > >>> I think we all understand that the basic concept of a root-signed >>> self-revocation is workable, in principle, at the information level. >>> >>> There may be substantial implementation questions... >> >> There are those who don't think so, since the operations defined at >> the Root level include "revoking certificates" as well as "derevoking >> certificates", via CRL. > > There is the matter of the "scope" of a CRL . You may want to read about > that. See section 5 of RFC3280 . > > The CRL is always signed by a given CRL signer cert, which is outside of the > CRL scope. > >> There is no such thing as a "suicide note" in X.509 or PKIX. > > Indeed. And I'm not saying suicide notes are impractical - just that they > aren't defined by PKIX, and we probably would not want to implement them as > CRLs. At the very least they would not fit the existing definitions for > CRLs. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto