Generally, CRLs work reasonably well for revoking intermediate CAs and
leaf certificates, not so well for dealing with trust anchors. CRLs
work by the parent signing the revocation (and by being able to re-issue
new certificates). Root certs/trust anchors by definition do not have
parents.
There's a lot more - but that's the gist of the issue.
Mike
On 9/10/2018 2:56 PM, shabbir ali wrote:
Hi all,
My question is that instead of messing with the DNSSEC key Rollover
timing and all that manual and automation tools dependencies,**why not
simply use a key revocation list just like a certificate revocation
list (CRL) ?
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
