On Wed, Dec 12, 2012 at 12:32 AM, Hans Leidekker <hans@codeweavers.com> wrote:

On Tue, 2012-12-11 at 12:59 -0800, Juan Lang wrote:
> Getting the client to trust the server cert can be as easy as ignoring untrusted
> root errors, if you don't think this impacts the revocation results.
>
> Returning revocation is straightforward enough, assuming you have a server under
> your control.

So self-sign the CRL too. I guess that might work if ignoring untrusted root
errors extends to verification of the CRL.

Actually, I was thinking a 2-certificate chain, with the root signing the CRL. I don't think a cert that revokes itself has a lot of meaning.

--Juan