Peter Mate Erdosi <[email protected]> writes: >I have a question about the revocation of the root certificate. I have not >found "Reasons for Revoking a Root CA Certificate" chapter in the BRs.
That's because it's... well... The handling of CA root certificates is particularly problematic because there’s no effective way to replace or revoke them. Consider what would be required to revoke a CA root certificate. These are self-signed, which means that the certificate would be revoking itself. In the presence of such a revocation applications can react in one of three ways: they can accept the CRL that revokes the certificate as valid and revoke it, they can reject the CRL as invalid because it was signed by a revoked certificate, or they can crash, and some applications will indeed crash in this situation. Since revocation of a self-signed certificate is the PKI version of Epimenedes paradox “All Cretans are liars” and PKI applications are unlikely to be coded to deal with self-referential paradoxes, crashing is a perfectly valid response. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB625142C66DB0B30DD125741EEE4F2%40SY4PR01MB6251.ausprd01.prod.outlook.com.
