> A CA can't revoke another CA's certificates, only certificates which it has
> issued.
Not so clear -- the CRL contains the issuer DN and a list of serial#'s
(basically), but it doesn't have to be the signed by a cert with that
DN.
(Yes, most clients will properly fail to verify, but the data structure
most definitely allows for delegated CRL signing. In sure Entrust has
some deltaCRL use that does this. :)
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
- Re: CRLs and self-signed root certs. Goetz Babin-Ebell
- Re: CRLs and self-signed root certs. Jean-Marc Desperrier
- Re: CRLs and self-signed root certs. Bodo Moeller
- Re: CRLs and self-signed root certs. Ben Laurie
- Re: CRLs and self-signed root certs. Bodo Moeller
- Re: CRLs and self-signed root certs. Mats Nilsson
- Re: CRLs and self-signed root certs. Goetz Babin-Ebell
- RE: CRLs and self-signed root certs. Frank Balluffi
- Re: CRLs and self-signed root certs. Goetz Babin-Ebell
- Re: CRLs and self-signed root certs. Peter Gutmann
- Re: CRLs and self-signed root certs. Rich Salz
- Re: CRLs and self-signed root certs. Goetz Babin-Ebell
- RE: CRLs and self-signed root certs. Frank Balluffi
- Re: CRLs and self-signed root certs. Peter Gutmann
- Re: CRLs and self-signed root certs. Rich Salz
