Confirm, administrator
5,526
edits
Changes
Added Scope of Revocation section
In order to prevent this type of denial of service, the person requesting that a TLS certificate be revoked for keyCompromise must have previously demonstrated or must be able to currently demonstrate possession of the private key of the certificate before the CA revokes all instances of that key across all subscribers.
=== Scope of Revocation ===
The following situations may occur when a certificate subscriber requests revocation for keyCompromise.
# The certificate subscriber requesting the revocation demonstrates possession of the private key.
#* The CA must revoke all instances of that key across all subscribers
# The certificate subscriber requesting the revocation has not demonstrated possession of the private key, and the CA does not have evidence of private key compromise.
#* The CA must not revoke all instances of that key across all subscribers
#** Unless/until the CA receives evidence of private key compromise
#* The CA may revoke all certificates associated with that subscriber that contain that public key
#* The CA may block issuance of future certificates with that key for that subscriber
# The certificate subscriber previously requested revocation without demonstrating possession of the private key, and later sends another revocation request which does demonstrate possession of the private key.
#* The CA must revoke all instances of that key across all subscribers
# The certificate subscriber previously requested revocation without demonstrating possession of the private key, and later the CA receives evidence of private key compromise.
#* The CA must revoke all instances of that key across all subscribers
=== Possession of Private Key ===
