> Wouldn't it be just as good to have a cRLDistributionPoint which does not
> restrict the available ReasonFlags and then put "cACompromise" in the CRL
> if/when that disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
revocation.
> Wouldn't it be equally good to use the same crl-signing cert already used for
> the regular CRL of revoked next-level certs?
Operational decision -- do you trust the people who revoke your certs exactly
like you trust the people who revoke "you" ?
> Would it be possible to use the same CRL and cRLDistributionPoint for both
> child certs and self-revocation (abdication)?
I think so, since they would be the same issuer and would have unique serial
numbers. But in theory I'd want those jobs separate.
I like the term abdication although it doesn't handle the regicide case;
suppose others know the root is bad, but the king doesn't know it's dead :)
But as I said, this is more about pedanticsm than practical real-world
practice. (I used to work at a company that was perhaps the apotheosis of that)
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
