Reporting key compromise for six day certs

Issuance Policy
1

Hey all,

When 6 day certs become generally available, they won't have CRL/OCSP URLs, so they essentially can not be revoked. Despite this, will the revokeCert ACME endpoint still work for reporting a key compromise if the JWT is signed with the certificate's private key?

It'd be a bit of a misnomer, since it wouldn't be able to revoke any of the 6 day certs that have been issued that use that key, but it should still prevent the key from being reused in the future.

The BRs seem a bit confusing on this point. My reading of 6.1.1.3 and 4.9 is that revocations don't have to be supported by CAs for short-lived certs, but revocation requests (including for key compromises) do have to be supported.

Of course, using six day certificates and then reusing private keys is counterproductive, but I'm sure it will happen, since some ACME clients reuse private keys by default, unfortunately.

Keeping revokeCert working for reporting key compromises of six day certs seems sensible to me, but I'm interested to hear what LE and other people think. :slight_smile:

7 Likes
2

I have had many of the same questions/concerns. The reuse of keys is a bit of another matter to me, but the reporting-of and discontinued-use-of compromised keys is clearly necessary.

4 Likes
3

Yes, we are planning to have the ACME revocation APIs still available. Key Compromise and blocking will work the same as it does today.

8 Likes
4

That's what I expected. Thanks for confirming, @mcpherrinm. :slightly_smiling_face:

2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.