Confirm, administrator
5,526
edits
Changes
m
added clarification
== Key Compromise ==
Section 6.1.1 of Mozilla's Root Store Policy says: <br> ''The CRLReason keyCompromise MUST be used when one or more of the following occurs: the CA operator obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise ...''<br>Additionally the CA operator must meet the requirements of section 4.9.1.1 of the [https://cabforum.org/baseline-requirements-documents/ BRs], which says: <br>''The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: ... The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise ...''<br>When key compromise has been demonstrated the CA must revoke all certificates that share the compromised key.<br><br>Section 6.1.1 of Mozilla's Root Store Policy also takes into account situations that may occur when the certificate subscriber requests that their certificate be revoked for the keyCompromise revocation reason. The policy says that a CSR (certificate signing request) alone does not prove possession of the certificate’s private key for the purpose of initiating a revocation, so and the following clarification is made in regards to the scope of revocation when the certificate subscriber requests revocation for keyCompromise revocation reason: <br>
''The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate. A CSR alone does not prove possession of the certificate’s private key for the purpose of initiating a revocation.''
* ''If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.''
