Eddy Nigg wrote:
Now IMO as the root certificate signs itself, with the same authority it should be able to revoke itself. This would result obviously in repeating the process until the root is removed and not used anymore, but it would mark the root and all certificates signed by it revoked.
I'm not sure what you mean by "repeating the process". How would such revocation work in practice (assuming a PKI library that did CRL checking for roots)? Would the root just sign a CRL with its own certificate's serial number on it? Presumably at that point any application retrieving such a CRL would note revocation of the root certificate, and from that point forward would refuse to recognize as valid any certificates chaining up to the root, any subsequent CRLs signed by the root, and so on. Or am I missing something?
Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
