Julien Pierre wrote:
I'm saying the standard defines no way to revoke a lost CA root, because it doesn't make sense. When a root is compromised, there is no PKI standard that can fix this.
To be precise, the standard says that path validation begins with a trust anchor, and that the trust anchor is outside of the path validation algorithm.
In fact the trust anchor does not have to be a certificate, only a public key and a DN are required. So you can use anything you choose as your trust anchor, for example a non-self signed certificate.
_______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
