Yes. RFC 2459 (and X.509) call this an indirect CRL. See the issuing
distribution point CRL extension and the certificate issuer CRL entry
extension.
Frank
> -----Original Message-----
> From: Rich Salz [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 04, 2000 3:27 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CRLs and self-signed root certs.
>
>
> > A CA can't revoke another CA's certificates, only
> certificates which it has
> > issued.
>
> Not so clear -- the CRL contains the issuer DN and a list of serial#'s
> (basically), but it doesn't have to be the signed by a cert with that
> DN.
> (Yes, most clients will properly fail to verify, but the data
> structure
> most definitely allows for delegated CRL signing. In sure Entrust has
> some deltaCRL use that does this. :)
> /r$
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
