On 31-07-2013 22:11, Salz, Rich wrote:
Wouldn't it be just as good to have a cRLDistributionPoint which does not restrict the
available ReasonFlags and then put "cACompromise" in the CRL if/when that
disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
revocation.
Wouldn't it be equally good to use the same crl-signing cert already used for
the regular CRL of revoked next-level certs?
Operational decision -- do you trust the people who revoke your certs exactly like you
trust the people who revoke "you" ?
The presumption is that "I" sign all the CRLs using a tool (a HSM)
that will tell me if the underlings try to sneak in "me" on the
list.
Would it be possible to use the same CRL and cRLDistributionPoint for both
child certs and self-revocation (abdication)?
I think so, since they would be the same issuer and would have unique serial
numbers. But in theory I'd want those jobs separate.
The separation would be done at the CRL signing stage or before. Posting
the abdication notice across the front page of the blacklist everybody is
looking at improves efficiency.
I like the term abdication although it doesn't handle the regicide case;
suppose others know the root is bad, but the king doesn't know it's dead :)
Like Saddam Hussein who still considered himself the president
when they found him in his hidden personal bunker.
But as I said, this is more about pedanticsm than practical real-world
practice. (I used to work at a company that was perhaps the apotheosis of that)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org