[cryptography] How are expired code-signing certs revoked?

ianG iang at iang.org
Sun Dec 11 07:27:44 EST 2011

On 8/12/11 02:11 AM, dan at geer.org wrote:
> Another wrinkle, at least as a logic problem, would be
> whether you can revoke the signing cert for a CRL and
> what, exactly, would that mean -- particularly if the
> last known good date is well astern and hence the
> revocation would optimally be retroactive.

Is the logical answer here that you have to treat the signing cert for a 
CRL at the same level as the root concerned?

So a CRL-signing cert for a sub-root (generally one and the same thing) 
would (both) want to be revoked at the root level, that is, appear in 
the CRL as signed by the root.  Whether it works that way in practice, I 
don't know.  I suppose I should...

In PKI it's a fairly well established principle that the layer one up 
has to revoke [0].  So, when some roots needed to be revoked recently, 
browsers had to ship new software.  Vendors are the ueber-CA.  
Therefore, the CRL/OCSP certs for a root can only be revoked at software 

> --dan, quite possibly in a rat hole

iang, we're all in rat holes together

[0] Unlike PGP where self can revoke self;  there are no layers.

More information about the cryptography mailing list