Hodie post. Id. Mar. MMVI est, Kyle Hamilton scripsit: > ...except that it's not. > > A later certificate (w/ different public key) with the same CN can > issue revocations against an earlier certificate with the same CN, per > X.509. That's part of the problem with the entire X.509 model in the > first place.
There's no problem with the X.509 model. You're right that a certificate signed by a CA can be revoked by another CA which has the same exact DN (not CN). The reason is simple: the X.509 standard states that a CA is designated by its name, not by its certificate (or public key). That has 2 advantages: - a CA can have different keys for certificate signing and CRL signing, - a CA can be renewed without invalidating all the previous certificates, and still take them under its "control". But what you're trying to say (that Mr Bad could create a certificate with the same DN as a valid CA, and revoke certs emitted by this CA without other intervention) is simply false. You *must* tell the software to trust this certificate, there's no way for this to be automatic (except in the SET scheme, but that's not the point here). > On 3/15/06, David Schwartz <[EMAIL PROTECTED]> wrote: > > > > > > > So if what you are saying is true then i could call > > > myself the same name as a trusted CA authority when > > > making my root CA and the browser will think i am a > > > trusted CA. Is that correct?. It seems too simple to be true..... > > > > No. CAs are not identified by name but by key. That's the whole > > purpose of > > a certificate -- to associate a name with a particular key. -- Erwann ABALEA <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
