Re: Dedicated CRL signing keys

[Juergen Brauckmann <brauckmann@xxxxxxxxxxxxxx>]

Russ Housley wrote:
> I propose the following solution that builds on the Indirect CRL
> capabilities that are already available.  When a CA wants to employ
> separate private keys to sign certificates and CRLs, then that CA MUST
> delegate CRL signing to a separate authority.  That separate authority MUST
> have a different Distinguished Name that the CA, 

Why must it have a different DN?

Regards,
   Juergen