On 31-07-2013 22:11, Salz, Rich wrote:
Wouldn't it be just as good to have a cRLDistributionPoint which does not restrict the
available ReasonFlags and then put "cACompromise" in the CRL if/when that
disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
r
> Wouldn't it be just as good to have a cRLDistributionPoint which does not
> restrict the available ReasonFlags and then put "cACompromise" in the CRL
> if/when that disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
revocation.
> Wouldn't it be equall
On 31-07-2013 19:56, Salz, Rich wrote:
This is not possible according to PKIX. RFC5280 states "The trust anchor for the
certification path [of the crl] MUST be the same as the trust anchor used to validate the
target certificate."
The root certificate creates a crl-signing cert. The root certi
> This is not possible according to PKIX. RFC5280 states "The trust anchor for
> the certification path [of the crl] MUST be the same as the trust anchor used
> to validate the target certificate."
The root certificate creates a crl-signing cert. The root certificate includes
a cRLDistributionP
> -Original Message-
> From: Walter H.
>> Eisenacher, Patrick wrote:
> >> -Original Message-
> >> From: Jakob Bohm
>>
> > As I said before, there's no pki-inherent mechanism to revoke a self signed
>> certificate other than to remove it from your truststore.
>
> not really; a CA tha
On 31.07.2013 16:47, Jakob Bohm wrote:
the only cert that can't be checked by OCSP is the root cert itself;
This is where I disagree, can you point me to an actual reason why
not, which is not refuted by my logical ABC argument above.
the Authority Information Access extension does not make an
On 31-07-2013 16:01, Walter H. wrote:
Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
Jako
Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
Jakob, I don't und
> -Original Message-
> From: Jakob Bohm
>
> On 31-07-2013 11:02, Eisenacher, Patrick wrote:
> >> -Original Message-
> >> From: Jakob Bohm
> >>
> >> On 30-07-2013 20:53, Walter H. wrote:
> >>> On 30.07.2013 19:51, Eisenacher, Patrick wrote:
> > Jakob, I don't understand your reasoni
On 31-07-2013 11:02, Eisenacher, Patrick wrote:
-Original Message-
From: Jakob Bohm
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
In Boolean logic, we have the following possibilities:
- Root is trusted, so the revocation is valid, so the root i
> -Original Message-
> From: Jakob Bohm
>
> On 30-07-2013 20:53, Walter H. wrote:
> > On 30.07.2013 19:51, Eisenacher, Patrick wrote:
>
> In Boolean logic, we have the following possibilities:
>
> - Root is trusted, so the revocation is valid, so the root is not
> trusted. This is a c
On 30-07-2013 20:53, Walter H. wrote:
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
I was wondering how the root cert gets revoked. Anyway thanks for
posting
that request.
A self-signed certificate can't be revoked via a crl, because you
won't be able to successfully verify its signature.
ke
On 30.07.2013 19:51, Eisenacher, Patrick wrote:
I was wondering how the root cert gets revoked. Anyway thanks for posting
that request.
A self-signed certificate can't be revoked via a crl, because you won't be able
to successfully verify its signature.
keep in mind, that in case you detect a p
> -Original Message-
> From: redpath
>
> I agree with this
>
> "Once again, I would like to advocate that the openssl verification code
> should allow a self-signed certificate to revoke itself, using the same
> mechanisms as for revoking anything else. "
>
> I was wondering how the ro
I agree with this
"Once again, I would like to advocate that the openssl verification code
should allow a self-signed certificate to revoke itself, using the same
mechanisms as for revoking anything else. "
I was wondering how the root cert gets revoked. Anyway thanks for posting
that reques
On 23-07-2013 23:56, Steven Madwin wrote:
The short answers is no. An OCSP response has to be signed by the issuer (or
a delegate of the issuer) and a self-signed cert is issued by itself. As a
general rule certs can't revoke themselves so there is no need to get a
revocation response for a self-
The short answers is no. An OCSP response has to be signed by the issuer (or
a delegate of the issuer) and a self-signed cert is issued by itself. As a
general rule certs can't revoke themselves so there is no need to get a
revocation response for a self-signed cert.
Steve
-Original Message--
17 matches
Mail list logo
