Hacker News new | past | comments | ask | show | jobs | submit login

> Why is the power of revocations in cert issuer's hands? As long as the private key is private

Because a major reason for revocation is when the private key has been compromised.




>> Why is the power of revocations in cert issuer's hands? As long as the private key is private

>Because a major reason for revocation is when the private key has been compromised.

His point is that whoever compromised the key is not interested to put it in the revocation list. If he does it... well, he did the good thing.


I see. Using the private key to revoke the certificate would be a denial of service attack, so requiring the CA for revocation avoids that, but admittedly it's not the first thing to worry about when a private key is compromised.


So? Even if the key is in the hands of an attacker, what can they do to the corresponding entry in a revocation list? Add it, nothing else!

Unless, you mean that the owner has lost access to the private key itself. For that case, I can see CA's having the power to revoke certs in addition to my suggested method.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: