#* The CA must revoke all instances of that key across all subscribers
# The certificate subscriber requesting the revocation has not demonstrated possession of the private key, and the CA does not have evidence of private key compromise.
#* The CA must not revoke all instances of that key across all subscribers
#** Unless/until the CA receives evidence of private key compromise
#* The CA may revoke all certificates associated with that subscriber that contain that public key
#* The CA may block issuance of future certificates with that key for that subscriber
#* Unless the CA receives evidence of private key compromise the CA must not revoke all instances of that key across all other subscribers
# The certificate subscriber previously requested revocation without demonstrating possession of the private key, and later sends another revocation request which does demonstrate possession of the private key.
#* The CA must then revoke all instances of that key across all subscribers
# The certificate subscriber previously requested revocation without demonstrating possession of the private key, and later the CA receives evidence of private key compromise.
#* The CA must then revoke all instances of that key across all subscribers
=== Possession of Private Key ===