I'm assuming that in the above scenario, the sub-root CA, and not the root CA, signs the CRL with its private key. I believe that this is correct.
It's valid. There are other ways. See RFC3280 section 4.2.1.4 and 5 for more info about CRL issuer and delegation.
Also, a given CA may have multiple private keys, used to sign different objects. This would lead to multiple CA certs with different extendedkeyusage .
Also, see section 5.2.1 in RFC3280 on AuthorityKeyId, and if you are using an NSS-based product,
http://bugzilla.mozilla.org/show_bug.cgi?id=217387
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
