On 1/20/2012 12:11 PM, Mathias Tausig wrote:
Hy!
If I revoke a certificate using the "-revoke" option of the "ca" command
and pass it a certificate which is issued by a different CA, this is not
checked by openssl.
Which has the consequence, that (if the serial number of the certificate
to be revoked is not present yet) a new entry is added to the
ca.db.index file which marks the certificate as revoked,but under the
wrong CA.
Is this expected behaviour or a bug?
I am not sure, but this COULD be a feature to support the ability
to delegate CRL signing to a subordinate certificate.
If this is the case, such a facility improves security by allowing
the real CA private key to be kept strictly offline with a manual
signing of accepted certificates once a day or once a week,
while still publishing instant CRL updates when someone
reports their certificate stolen via an online Web form.
I know that our (now mostly defunct) national CA had CPS
policy requirements that CRL revocations should be published
within 1 minute of a compromise report and that signature
recipients should check against a CRL no older than 5
minutes.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
