[caops-wg] Encoding AIA in first-level Proxy Cert

[Cowles, Robert D.]

> In DOEGrids ... I am not sure about every other IGTF PKI however ...
> end entity certificates can revoke themselves. It's often done. For
> instance, when a security issue arose at one site, several customers
> revoked their own certificates until local problems were cleared up.
> 
> Why wouldn't we permit this idea to be extended to proxy certs?
> That is, why shouldn't a proxy cert be permitted to revoke itself?
> What conditions would speak against that?

It does cerate an interesting denial of service possibillity
in that if I compromise a machine that has proxy certs going thru
it, I can revoke all subsequent proxies for the whatever proxy certs 
I find on that machine.  If a higher level had to do the revocation
then I would have to know something about the proxy certs generated 
by apps using those proxies, and it would seem more difficult t
get that information.

BC