|
|
|
|
|
|
by zenexer
2176 days ago
|
|
|
The author claims it’s a problem because one sub-CA can effectively un-revoke its own certificate and certificates from other sub-CAs. That’s bad because it defeats the most important purpose of revocation. If someone compromises a key, typically, you would want to revoke it. However, if that key also allows to revocation to be reversed, you’re in trouble. I’ve explained more in a top-level comment: https://news.ycombinator.com/item?id=23747524 |
|
|