[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Rethink CRLs
Dan Molinelli wrote:
>
> i tend to not like CRLs. i've seen CRLs lists before within x.500
> and if the CA has been compromised then ALL certs issued by that CA would
> then be revocated.
?????? Just leave the CA-issued certs alone. Revoke the CA's cert, then
when you validate the CA-issued cert's validation chain, it fails
because the CA's cert is revoked. What do you gain by revoking the
issued certs individually (and so on down the chain)?
--
Bill Buffam
Unisys, Malvern PA
bjb@trsvr.tr.unisys.com
References: