Olaf Gellert:
> I would not say so. If I found a CRL which contains the
> self signed root certificate I would stop to trust it
> immediately.
Why? What do you think that CRL means? Specifically, do you think it means
the public key was compromised? Do you think it means the issuer of the
origin
Hi all,
David Schwartz wrote:
>> Can you please elaborate on how would the higher-layer security
>> infrastructure go about this?
>
> Simply put, whatever put the certificate in its trusted position is what is
> to remove it. If a CA says to trust a certificate, that CA can say not to.
> But if t
There is currently no automated protocol for doing this. There is
currently an effort at PKIX for a "Trust Anchor Management Protocol",
though, which would allow for tools to be made cross-platform.
Also, self-signed CAs are basically never checked for expiration.
(The 'trust anchor' is technical
> Can you please elaborate on how would the higher-layer security
> infrastructure go about this?
Simply put, whatever put the certificate in its trusted position is what is
to remove it. If a CA says to trust a certificate, that CA can say not to.
But if the certificate is self-signed, the trust
Also, does openssl allow a CA to revoked its own self-signed certificate?
What happens when during the openssl verify, it finds that the CRL given by
CA contains the CA-certificate in the revoked list?
On Mon, Jan 26, 2009 at 9:28 PM, PS wrote:
> Can you please elaborate on how would the higher-
Can you please elaborate on how would the higher-layer security
infrastructure go about this?
To me, it just seems impossible to do this and the issue might only be
mitigated by spreading awareness by an out-of-band means but not eliminated
until ofcourse, the self-signed CA certificate expires.
O
A self-signed CA certificate (technically, a "trust anchor") cannot be
revoked via CRL. This is assumed to be a function of the higher-layer
security infrastructure which led to the trust anchor being trusted in
the first place, and is outside the scope of CRL.
-Kyle H
On Mon, Jan 26, 2009 at 9:
Hi All,
Is it possible to revoke a self-signed CA certificate?
If yes, then I dont understand why it should be allowed. It does not make
sense. The only reason a root CA would want to revoke its own certificate is
if its private-key might have been compromised. So, the CA would want to
revoke its
