Also, does openssl allow a CA to revoked its own self-signed certificate? What happens when during the openssl verify, it finds that the CRL given by CA contains the CA-certificate in the revoked list?
On Mon, Jan 26, 2009 at 9:28 PM, PS <mytechl...@gmail.com> wrote: > Can you please elaborate on how would the higher-layer security > infrastructure go about this? > To me, it just seems impossible to do this and the issue might only be > mitigated by spreading awareness by an out-of-band means but not eliminated > until ofcourse, the self-signed CA certificate expires. > > > On Mon, Jan 26, 2009 at 9:20 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > >> A self-signed CA certificate (technically, a "trust anchor") cannot be >> revoked via CRL. This is assumed to be a function of the higher-layer >> security infrastructure which led to the trust anchor being trusted in >> the first place, and is outside the scope of CRL. >> >> -Kyle H >> >> On Mon, Jan 26, 2009 at 9:17 PM, PS <mytechl...@gmail.com> wrote: >> > Hi All, >> > Is it possible to revoke a self-signed CA certificate? >> > >> > If yes, then I dont understand why it should be allowed. It does not >> make >> > sense. The only reason a root CA would want to revoke its own >> certificate is >> > if its private-key might have been compromised. So, the CA would want to >> > revoke its certificate and create a new CRL. >> > But since the private-key is compromised, the attacker can always use >> the >> > private-key (of the CA), and create a yet new CRL and distribute. >> > >> > This looks like a chicken and egg problem because you are trusting a >> > CRL-list sent by a CA and the CRL mentions not to trust the very same >> CA >> > since its certificate is revoked. What is the solution to this problem? >> Any >> > insights? >> > >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
