Ian G <[EMAIL PROTECTED]> writes: >Oh... so it's written in the standard. Are you >saying that the standard defines no way to revoke >a lost CA root?
The standard treats CA roots in extremely strange ways. Among other things, it says that CA root certs aren't subject to any verification (apart from signature and validity, obviously). So if you put some attributes in a root cert, the spec requires that you not use them for path validation: "When the trust anchor is provided in the form of a self-signed certificate, this self- signed certificate is not included as part of the prospective certification path". Discovering this hidden in the spec has come as a considerable surprise to everyone that gets told about it (Nelson, did you know about it? I'd never heard of it until an X.509 author told me about it). I suspect that 100% of implementations are non-compliant with this requirement (actually I know of one that I'm pretty sure does do this, but since I'm not sure I won't name it). Peter. _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
