If the key for the first cert was compromised (fell into the wrong hands), and that cert was self-signed, how can you possibly do revocation on it ?
I don't know, but I could in any case send out a (computer-parsable) statement "this cert is invalid from now on", signed by that cert. Then I am no worse as if I never had a cert. This is assuming, of course, that I also still have a copy of the private key somewhere.
I personally don't worry all that much about the compromised key case, because that's something I can prevent (or I am screwed anyways). I can't prevent the problems in the model.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
