Hey all,
When 6 day certs become generally available, they won't have CRL/OCSP URLs, so they essentially can not be revoked. Despite this, will the revokeCert
ACME endpoint still work for reporting a key compromise if the JWT is signed with the certificate's private key?
It'd be a bit of a misnomer, since it wouldn't be able to revoke any of the 6 day certs that have been issued that use that key, but it should still prevent the key from being reused in the future.
The BRs seem a bit confusing on this point. My reading of 6.1.1.3 and 4.9 is that revocations don't have to be supported by CAs for short-lived certs, but revocation requests (including for key compromises) do have to be supported.
Of course, using six day certificates and then reusing private keys is counterproductive, but I'm sure it will happen, since some ACME clients reuse private keys by default, unfortunately.
Keeping revokeCert
working for reporting key compromises of six day certs seems sensible to me, but I'm interested to hear what LE and other people think.