12

Say I am building a Certificate Authority software and I want to automate certificate revocation as much as possible. I know it will not be possible in some cases, like if the building where the certificate, keys and other support documents were burned down to the ground.

But there are many cases where automation would help:

  • A typo was made in the name
  • A subject alt name is missing
  • The key was compromised

In those cases where the key is still available, I could issue a signed "certificate revocation request". Of course, a bad guy could issue the same request, but this is what we want in the end.

But there is no standard revocation request. RFC 5280, section 3.5 says this at item (f):

revocation request: An authorized person advises a CA of an abnormal situation requiring certificate revocation.

Was this hypothetical standard revocation request left out of the standard because of a security issue, or was it and oversight, not a design goal, etc.?

Community
  • 1
ixe013
  • 1,912
  • 15
  • 20

1 Answers1

23

There is a standard for that, and, more generally, for all communications with a PKI. It is called Certificate Management Protocol (CMP). Revocation requests are specified in section 5.3.9.

Now, finding a PKI that actually implements CMP... this may be challenging.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949