Revocation behaviour

Not sure if I’m missing something there or just missed some announcement, but while testing v2 of the API I have noticed that revocation now behaves differently. For version 1 of the API using either of 2 keys (“account” or “domain” one) along with the certificate in the revocation request would have resulted in a successful revocation.

However, if you try revocation against the v2, then it will work with the “domain” key but will return the following error if used with the “account” key: “JWK embedded in revocation request must be the same public key as the cert to be revoked”. That is likely related to the following commit - https://github.com/letsencrypt/boulder/commit/29377bb9d24a5318f048f8ca43f806620be04335

The comments around revokeCertByJWK in the commit above seem to indicate that it is indeed a domain key expected there, but https://tools.ietf.org/html/draft-ietf-acme-acme-09#section-7.6 mentions “account” key rather than “domain” one for the revocation request. Is this some intentional change and the specification needs to be updated or a bug?

I’m guessing @cpu has the answer to the above, but was wondering if anyone else has observed this behaviour as well?

If you want to revoke using the account key, you need to follow the “kid” style of signing rather than the “jwk” style of signing.

Would that be in line with the section 6.2 of that IETF draft?

o The JWS Protected Header MUST include the following fields:

  *  "jwk" (JSON Web Key, only for requests to new-account and
     revoke-cert resources)

  *  "kid" (Key ID, for all other requests)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.