Confirm, administrator
5,526
edits
Changes
m
Added further clarifications
''The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: ... The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise ...''
<br>
When key compromise has been demonstrated the CA must revoke all certificates instances of that share the compromised keyacross all subscribers.
<br><br>
Section 6.1.1 of Mozilla's Root Store Policy also takes into account situations that may occur when the certificate subscriber requests that their certificate be revoked for the keyCompromise revocation reason. The policy says that a CSR (certificate signing request) alone does not prove possession of the certificate’s private key for the purpose of initiating a revocation, and the following clarification is made in regards to the scope of revocation when the certificate subscriber requests revocation for keyCompromise revocation reason: <br>
