On Sat, Dec 02, 2000 at 12:05:46PM +, Ben Laurie wrote:
Bodo Moeller wrote:
Peter Gutmann [EMAIL PROTECTED]:
Mats Nilsson [EMAIL PROTECTED]:
Should a self-signed root certificate ever need to be revoked, shall it list
itself in its usual CRL(s), as the last thing it does before it is
Ben Laurie [EMAIL PROTECTED] wrote:
Eh? Surely if a cert revokes itself then one of two things has happened:
a) The legitimate owner revoked it
b) Someone else got hold of the private key and revoked it
in either case, you want the cert to be revoked, right?
In case b, nothing would stop the
-
From: Ben Laurie [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 02, 2000 7:06 AM
To: [EMAIL PROTECTED]
Subject: Re: CRLs and self-signed root certs.
Bodo Moeller wrote:
Peter Gutmann [EMAIL PROTECTED]:
Mats Nilsson [EMAIL PROTECTED]:
Should a self-signed root
Mats Nilsson wrote:
Goetz Babin-Ebell [EMAIL PROTECTED] wrote:
You can generate a new root certificate and use it to
sign the new CRL which lists the old root certificate as revoked...
I'm not sure one should recognize the new root ca to be a legitimate
revoker of the orignal certificate.
Frank Balluffi wrote:
I can imagine a scenario whereby an organization might choose to sign a
death notice before going out of business. For example, suppose a
commercial CA decided to go out of business, there might be benefits to
their signing a CRL including their root certificate.
The
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Everybody can issue a CRL.
Only a CA with CRL signing enabled can issue a CRL.
A CA can issue a CRL with own revokated certificates but it can issue a CRL
with revoked certificates of other CAs (at least in X509v3...)
A CA can't revoke another CA's
]
Subject: Re: CRLs and self-signed root certs.
A CA can't revoke another CA's certificates, only
certificates which it has
issued.
Not so clear -- the CRL contains the issuer DN and a list of serial#'s
(basically), but it doesn't have to be the signed by a cert with that
DN.
(Yes, most
Peter Gutmann wrote:
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Everybody can issue a CRL.
Only a CA with CRL signing enabled can issue a CRL.
Everybody who can generate a certificate with the propper flags
can generate a CRL.
But he has to find a way to let the user trust him in
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Peter Gutmann wrote:
Goetz Babin-Ebell [EMAIL PROTECTED] writes:
Everybody can issue a CRL.
Only a CA with CRL signing enabled can issue a CRL.
Everybody who can generate a certificate with the propper flags can generate a
CRL.
Sure, but this
Bodo Moeller wrote:
Peter Gutmann [EMAIL PROTECTED]:
Mats Nilsson [EMAIL PROTECTED]:
Should a self-signed root certificate ever need to be revoked, shall it list
itself in its usual CRL(s), as the last thing it does before it is thrown
away, or is it sufficient (from its users'
Mats Nilsson [EMAIL PROTECTED] writes:
Should a self-signed root certificate ever need to be revoked, shall it list
itself in its usual CRL(s), as the last thing it does before it is thrown
away, or is it sufficient (from its users' standpoint) that it simply ceases
to issue more CRLs?
Noone
Mats Nilsson wrote:
Hi list.
Hallo Mats,
Some philosophical questions:
Should a self-signed root certificate ever need to be revoked, shall it
list itself in its usual CRL(s), as the last thing it does before it is
thrown away, or is it sufficient (from its users' standpoint) that it
Goetz Babin-Ebell wrote:
Should a self-signed root certificate ever need to be revoked, shall it
list itself in its usual CRL(s), as the last thing it does before it is
thrown away, or is it sufficient (from its users' standpoint) that it
simply ceases to issue more CRLs?
Since the
Peter Gutmann [EMAIL PROTECTED]:
Mats Nilsson [EMAIL PROTECTED]:
Should a self-signed root certificate ever need to be revoked, shall it list
itself in its usual CRL(s), as the last thing it does before it is thrown
away, or is it sufficient (from its users' standpoint) that it simply ceases
14 matches
Mail list logo
