On Wed, Dec 12, 2012 at 12:32 AM, Hans Leidekker hans@codeweavers.comwrote:
On Tue, 2012-12-11 at 12:59 -0800, Juan Lang wrote:
Getting the client to trust the server cert can be as easy as ignoring
untrusted
root errors, if you don't think this impacts the revocation results.
Returning revocation is straightforward enough, assuming you have a
server under
your control.
So self-sign the CRL too. I guess that might work if ignoring untrusted root errors extends to verification of the CRL.
Actually, I was thinking a 2-certificate chain, with the root signing the
CRL. I don't think a cert that revokes itself has a lot of meaning. --Juan