Frank Hecker:
I'm not sure what you mean by "repeating the process". How would such revocation work in practice (assuming a PKI library that did CRL checking for roots)? Would the root just sign a CRL with its own certificate's serial number on it? Presumably at that point any application retrieving such a CRL would note revocation of the root certificate, and from that point forward would refuse to recognize as valid any certificates chaining up to the root, any subsequent CRLs signed by the root, and so on. Or am I missing something?
That's entirely and implementation issue and design approach. If we assume that the root is built-in (and valid), every time a certificate issued by this root (or sub roots) is encountered, it will read the CRL and refuse to connect (or whatever). Depending on the CRL life time, I expect the application to repeat the CRL checking over and over again until the root is removed. But such an implementation may vary.
However I don't want to start an endless debate about the egg-and-chicken problem here. The principal guiding my thought is, that with the same authority the root was (self)signed, it should be possible to mark the self-signed certificate invalid.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
