Ben Laurie <[EMAIL PROTECTED]> wrote:
>Eh? Surely if a cert revokes itself then one of two things has happened:
>
>a) The legitimate owner revoked it
>
>b) Someone else got hold of the private key and revoked it
>
>in either case, you want the cert to be revoked, right?
In case b, nothing would stop the imposter to issue yet another CRL, one
where the root certificate is no longer marked as revoked. It would surely
fool some users.
It's quite clear that an out-of-band procedure is necessary.
Goetz Babin-Ebell <[EMAIL PROTECTED]> wrote:
>You can generate a new root certificate and use it to
>sign the new CRL which lists the old root certificate as revoked...
I'm not sure one should recognize the new root ca to be a legitimate
revoker of the orignal certificate. Isn't it so, that only the issuer of a
certificate can revoke a certificate? (where being an "issuer" is
equivalent to holding the private key)
Mats
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
