> This is not possible according to PKIX. RFC5280 states "The trust anchor for
> the certification path [of the crl] MUST be the same as the trust anchor used
> to validate the target certificate."
The root certificate creates a crl-signing cert. The root certificate includes
a cRLDistributionPoint that names that crl-signing cert, and has cACompromise
in its ReasonFlags.
The crl-signing cert immediately issues an empty CRL. Whenever you give someone
the CA cert, you give them the crl cert, and the empty CRL as well. The
relying party now has the key that will sign the CRL, and a signed piece of
data using that key.
This is more theory than practice -- how many angels can dance on the head of a
pin? -- but it does securely give you a way to be sure that you only trust a
"proper" root revocation. Whether or not that is something to do (as opposed to
playing it safe and not worry about whether or not someone has compromised the
root to sign its own CRL "death warrant") is for others to argue.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
