Goetz Babin-Ebell <[EMAIL PROTECTED]> writes:
>Peter Gutmann wrote:
>>Goetz Babin-Ebell <[EMAIL PROTECTED]> writes:
>>
>>>Everybody can issue a CRL.
>>
>>Only a CA with CRL signing enabled can issue a CRL.
>Everybody who can generate a certificate with the propper flags can generate a
>CRL.
Sure, but this presupposes:
>>>A CA can issue a CRL with own revokated certificates but it can issue a CRL
>>>with revoked certificates of other CAs (at least in X509v3...)
>>
>>A CA can't revoke another CA's certificates, only certificates which it has
>>issued.
>
>[...]
>
>But in the definition of a CRL I didn't find anything saying that it can only
>revoke own certificates...
The standard can say pretty much anything it wants on the topic, but given that
most current apps barely support any kind of CRL checking I'd say the
usefulness of issuing one of these cross-CRLs is slightly lower than that of
opening your window and shouting "Certificate 1234 from CA xyz is now revoked"
out into the wind (at least one or two people will take notice of that, if only
to shout back at you to shut up :-). Look at the way Sun revoked their CA cert
a while back for an example of how far CRL functionality is trusted in the real
world, and then extrapolate from normal CRLs to cross-CRLs...
Does anyone know of any generally-available (non-special-case, single-vendor,
customised, etc etc) application which will handle one of these cross-CRLs?
Peter.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
