Ian G:
Ah, ok, excellent, that helps with the big question: Can we conclude from this that roots cannot be revoked by means of the OCSP/CRL channel?
No, because it depends on the application and library implementing it I think. Apparently it's correct for NSS.
Now IMO as the root certificate signs itself, with the same authority it should be able to revoke itself. This would result obviously in repeating the process until the root is removed and not used anymore, but it would mark the root and all certificates signed by it revoked. That would be a benefit in case of a disaster (including key compromise - specially for the ones issuing EE certs directly from the root). Just my $0.02.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
