[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: losing private keys

>  Of course, revoking an identity cert just divorces the
> binding between a key and a text string [or DN] -- not quite the same as
> declaring that a key is compromised or not.  So, even the X.509 folks might
> want to have a self-signed key-validity cert to add to the pool.
> Any X.509 folks care to comment on that?

I don't know whether this is X.500-related or specific to the DoD's
Network Security Management protocol, but both Certificate Revocation
Lists (CRLs) and Compromised Key Lists (CKLs) are used in NSM.  At
one time one was distributed by server-push and the other by client-pull,
but there may no longer be a difference in distribution methods.

In any case, it is possible to represent key compromise using X.509
without having to resort to self-signed certs.  Leaving that responsibility
up to the end-users doesn't fit well into the heirarchical trust mindset.