If that CRL is trying to revoke that root certificate, what in that CRL could ber forged? CRL can only revoke a CRT, not unrevoke, right? I know, that when revoking a certificate, CRL is signed by certificate issuer (CA), is there a reason, why a (small) CRL could not be signed by cartificate itself? (after all, anyone using leaked private key would be intereseted to delay revocation, but they have no means of preventing it) Citējot *Erik Tkal <et...@juniper.net> [1]*: > > > Self-signed certs cannot be revoked, because if the private key > were compromised then CRLs could be forged. Trusted roots by > definition are explicitly trusted, and are usually placed in a > secure location (e.g. local system trusted root store), and this set > is usually updated as part of the OS. > > > .................................... > *Erik Tkal* > Juniper OAC/UAC/Pulse Development > > > > > > *From:* owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] *On Behalf Of* > y...@inbox.lv > *Sent:* Monday, July 18, 2011 2:10 PM > *To:* openssl-users@openssl.org > *Subject:* Re: revoking crt > > > > > is that really a self signed certificate? For self signed > certificates names of issuer > are the same as names of subject. In your example OU and CN are > not the same. > Also, according to wikipedia, self signed certificates (root > certificates) cannot be revoked, > although I do not understand why. (CRL could be signed by > certificates own key).
Links: ------ [1] mailto:et...@juniper.net
