[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

Dan Molinelli wrote:
> i tend to not like CRLs. i've seen CRLs lists before within x.500
> and if the CA has been compromised then ALL certs issued by that CA would
> then be revocated. 

??????  Just leave the CA-issued certs alone. Revoke the CA's cert, then
when you validate the CA-issued cert's validation chain, it fails
because the CA's cert is revoked. What do you gain by revoking the
issued certs individually (and so on down the chain)?


Bill Buffam
Unisys, Malvern PA