[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?

To: IETF-PKIX <ietf-pkix@xxxxxxx>
Subject: Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?
From: "Simonato Carolina" <carolina.simonato@xxxxxxxxxxxxx>
Date: Tue, 04 Sep 2001 17:42:07 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hello all!

Suppose a simple situation in which a certificate chain is constituted
only by two certificates: a trusted (by some important authority) root
certificate (self-signed) and an end-entity certificate, signed by that
root certificate.
The same root certificate also signs the certificate revocation list (a
unique crl that contains all revoked certificates- for all reasons).
The problem is: who signs the crl when the root certificate is
immediately revoked, because of, for example, cacompromise?
Probably it is necessary to create a new couple of keys (and so a new
root certificate) and sign the crl with the new  ca private key?
Or is it possible to create a couple of  CA keys to sign only
certificate revocation list and not to make provision for revoking this
last  ca root certificate?

I would like to riceive suggestions about this topic.
Thank you in advance.

regards
Carolina

Follow-Ups:
- Re: Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?
  - From: Denis Pinkas
- RE: Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?
  - From: Karim Ladhani

Prev by Date: RE: New test TSA available
Next by Date: Re: charter revisions
Previous by thread: RFC 3161 on Time-Stamp Protocol (TSP)
Next by thread: RE: Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?
Index(es):
- Date
- Thread