CA/Revocation Reasons: Difference between revisions

CA/Revocation Reasons (view source)

369 bytes removed , 12 April 2022

continued drafting text

Confirmed users, Administrators

5,526

edits

@@ Line 67: / Line 67: @@
 # Eve has now managed to deny service to Alice, by using the policy for abuse
-TO DO
+In order to prevent this type of denial of service, the person requesting that a TLS certificate be revoked for keyCompromise must have previously demonstrated or must be able to currently demonstrate possession of the private key of the certificate before the CA revokes all instances of that key across all subscribers.
-* Have sub section about key compromise regarding CSRs and verifiable evidence of compromise.
-* currently there is not a standard way to demonstrate possession of the private key.
-* document a few non-exclusive ways to confirm possession of the private key
+Currently there is not a standard way to demonstrate possession of the private key. Here are a few ways that CAs may confirm possession of the private key:
-=== CSRs ===
+* TO DO
-TO DO
-*  While a generic CSR alone does not prove possession of the certificate's private key, could a CSR with a specific common name do (e.g. "Proof of Key Compromise for [name of CA]") ?
-* If a CSR alone does not prove possession of the certificate's private key, what kind of verifiable evidence could it be?
-* Why should CA bother whether the subscriber possess the associated private key, if CA has already authenticated the subscriber? Is it meant to let CA decline the subscriber request in this case?
-* How can it be determined? By self-declaration of the requester?
 == OCSP and CRL ==