Frank Hecker wrote, On 2009-05-12 11:32: > Paul Hoffman wrote: >> Peter Gutmann asked on a different mailing list: >> >>> Subject says it all, does anyone know of a public, commercial CA >>> (meaning one baked into a browser or the OS, including any sub-CA's >>> hanging off the roots) ever having their certificate revoked? An >>> ongoing private poll hasn't turned up anything, but perhaps others >>> know of instances where this occurred. > > Was Peter referring to the general requestion of a public CA having its > root removed from a browser for whatever reason? Or was he specifically > referring to a public CA having a root key compromised and thus having > the root "revoked"?
Frank, As I understand it, doubt has been cast on the value of revocation checking of CA certs, on the grounds that CAs simply never have revoked a CA cert, and (it is suggested) likely never will. I think this is a case where we're hoping that someone will find an example where a real public CA actually has revoked a subordinate CA cert at some point, demonstrating that revocation checking on CA certs would have been of value in that case. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
