leftbehind
10 months ago
IIRC, if you have a private key you can be able to force a revocation regardless of what the owner wants. In some such as Let's Encrypt it is fully automated.
If this is a repo private, you should be realize it with a private CA that you import or is on every corp machine.
Baseline Requirements force a revocation within x hours on key disclosure.
JakaJancar
10 months ago
HN comes through in 10 min :)
I didn't know about CA/Browser forum and the Baseline Requirements. Thanks, will check it out!
// Edit: Relevant section:
The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant [..] the following obligations and warranties:
[...]
Protection of Private Key: An obligation and warranty by the Applicant to take all reasonable measures to assure control of, keep confidential, and properly protect at all times the Private Key [...]
leftbehind
10 months ago
:)
> Looking at digicert[1], if a revocation request is submitted, the owner must approve it. What happens if I just don't approve it?
So in this case, this is the happy-case where you as the owner wish to simply realize the cancellation a cert that you are no longer using.
A different workflow applies, such that you have the private key you instead send a POST to 'https://problemreport.digicert.com/api/keys/compromised' with the private key in the JSON body and it will be queued. It is mandatory Baseline Requirements wise to cancel the certificate within 24 hours in the compromised case - usually instant if the pk matches cert - with the expectation that of course the owner will not go this route.
JakaJancar
10 months ago
Makes sense, thanks!