CRLs signed with a cert on the CRL

[Al Arsenault <aarsenault@xxxxxxxxxx>]

And now for something completely different:

To the best of my knowledge (point it out if I missed it again), PKIX is
silent on this issue.  I'm trolling for opinions, since I now seen this
happen twice in a laboratory environment.

Suppose that a CA issues a CRL.  That CRL is signed with the CA's key.  On
that CRL is the CA's certificate - the one associated with the key used to
sign the CRL.

What do you do:

	- reject the CRL as having been signed with a key associated with a
revoked certificate?

	- accept the CRL as valid, since the signing key is not revoked until
after the CRL is accepted, and then mark the certificate as revoked?

	- does it make a difference what reason code was given for revocation?

As I noted, I've now seen this happen twice in a lab environment.  In one
case, the person using the CA workstation was a newbie, and not paying
attention besides.  He picked a certificate at random to revoke; by
coincidence, it was the self-signed CA certificate.  He didn't realize it
until after he sent out the CRL.

In the second case, the person operating the CA was in a hurry to take down
an entire community and set up another one.  So, she just decided to revoke
ALL the certificates issued by the CA (including the self-signed one:-) and
sent out a CRL.

The reaction to these events was pretty random.  Some end-entity
applications accepted the CRL; others rejected it.  Two or three end-entity
applications just died.

Is there a desired behavior in this situation?

Thanks for the input,

				Al Arsenault