Definizioni per i motivi CRL

[Disclaimer: lavoro come sviluppatore di software sul software che alimenta una delle CA pubbliche attendibili e molti PKI interni aziendali]

tl; dr: per quanto ne so, non ci sono linee guida formali per le quali dovrebbe essere usato il motivo della revoca in quale situazione, è a discrezione dell'amministratore o dell'operatore di ciascuna CA.

Tipicamente, le revoche di certificati vengono eseguite da persone che devono scegliere uno di questi motivi di revoca da un menu a discesa nella GUI. Ciò significa decidere a quale specifico ostacolo cadrà un certo caso limite da una organizzazione / CA a un'altra, o potrebbe essere interamente a discrezione del responsabile IT che sta revocando il certificato per il badge ID, l'accesso e-mail, il server Web, WTV.

Nelle CA aziendali di Active Directory di Windows:

Ho trovato un vecchio articolo di Microsoft che fornisce un po 'di una descrizione testuale di ogni motivo - cerca "Revocation Reasons" nella pagina. (Microsoft ha creato il software CA come parte della suite Active Directory, quindi presumo che si tratti di documentazione allegata destinata agli amministratori di dominio di Windows). Vedere l'Appendice A in basso per l'elenco completo.

Nel pubblico internet TLS PKI

Il forum CA / Browser (forum CAB) indica le norme relative al modo in cui le CA e i browser pubblicamente affidabili devono comportarsi in relazione ai certificati. Ecco i Requisiti di base del forum CA / Browser per l'emissione e la gestione di certificati attendibili pubblicamente, v.1.2. 5 aprile 2015 . Se vai alla sezione 13.1.5 Motivi per revocare un certificato di abbonato (vedi Appendice B di seguito), c'è un elenco di situazioni in cui la CA è richiesta per revocare un certificato, ma non menziona codice di errore che dovrebbero usare.

tl; dr again: per quanto ne so, non ci sono linee guida formali per le quali si dovrebbe usare il motivo della revoca in quale situazione, è a discrezione dell'amministratore o dell'operatore di ciascuna CA.

Appendice A: alcune indicazioni da Microsoft su quando utilizzare ogni motivo di revoca:

• KeyCompromise. The token or disk location where the private key associated with the certificate has been compromised and is in the possession of an unauthorized individual. This can include the case where a laptop is stolen, or a smart card is lost.

• CACompromise. The token or disk location where the CA's private key is stored has been compromised and is in the possession of an unauthorized individual. When a CA's private key is revoked, this results in all certificates issued by the CA that are signed using the private key associated with the revoked certificate being considered revoked.

• AffiliationChanged. The user has terminated his or her relationship with the organization indicated in the Distinguished Name attribute of the certificate. This revocation code is typically used when an individual is terminated or has resigned from an organization. You do not have to revoke a certificate when a user changes departments, unless your security policy requires different certificate be issued by a departmental CA.

• Superseded. A replacement certificate has been issued to a user, and the reason does not fall under the previous reasons. This revocation reason is typically used when a smart card fails, the password for a token is forgotten by a user, or the user has changed their legal name.

• CessationOfOperation. If a CA is decommissioned, no longer to be used, the CA's certificate should be revoked with this reason code. Do not revoke the CA's certificate if the CA no longer issues new certificates, yet still publishes CRLs for the currently issued certificates.

• CertificateHold. A temporary revocation that indicates that a CA will not vouch for a certificate at a specific point in time. Once a certificate is revoked with a CertificateHold reason code, the certificate can then be revoked with another Reason Code, or unrevoked and returned to use.

  Note: While CertificateHold allows a certificate to be "unrevoked", it is not recommended to place a hold on a certificate, as it becomes difficult to determine if a certificate was valid for a specific time.

• RemoveFromCRL. If a certificate is revoked with the CertificateHold reason code, it is possible to "unrevoke" a certificate. The unrevoking process still lists the certificate in the CRL, but with the reason code set to RemoveFromCRL.

  Note: This is specific to the CertificateHold reason and is only used in DeltaCRLs.

• Unspecified. It is possible to revoke a certificate without providing a specific reason code. While it is possible to revoke a certificate with the Unspecified reason code, this is not recommended, as it does not provide an audit trail as to why a certificate is revoked.

Appendice B: 13.1.5 Motivi per revocare un certificato di sottoscrizione da CA / Requisiti di base del forum browser per l'emissione e la gestione di certificati di fiducia pubblica, v.1.2.5, aprile 2015 :

CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.2.5, April 2015CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.2.5, April 2015:

1. The Subscriber requests in writing that the CA revoke the Certificate;

2. The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;

3. The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise (also see Section 10.2.4) or no longer complies with the requirements of Appendix A;

4. The CA obtains evidence that the Certificate was misused;

5. The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber or Terms of Use Agreement;

6. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);

7. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;

8. The CA is made aware of a material change in the information contained in the Certificate;

9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement;

10. The CA determines that any of the information appearing in the Certificate is inaccurate or misleading;

11. The CA ceases operations for any reason and has not made arrangements for another CA to provide revocation support for the Certificate;

12. The CA’s right to issue Certificates under these Requirements expires or is revoked or terminated, unless the CA has made arrangements to continue maintaining the CRL/OCSP Repository;

13. The CA is made aware of a possible compromise of the Private Key of the Subordinate CA used for issuing the Certificate;

14. Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or

15. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time).

In ITU-TX.509-201210 sono descritti nella sezione 8.5.3.1 (Estensione del codice motivazione) come:

– unspecified can be used to revoke certificates for reasons other than the specific codes.

– keyCompromise is used in revoking an end-entity certificate; it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.

– cACompromise is used in revoking a CA-certificate; it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.

– affiliationChanged indicates that the subject's name or other information in the certificate has been modified but there is no cause to suspect that the private key has been compromised.

– superseded indicates that the certificate has been superseded but there is no cause to suspect that the private key has been compromised.

– cessationOfOperation indicates that the certificate is no longer needed for the purpose for which it was issued but there is no cause to suspect that the private key has been compromised.

– privilegeWithdrawn indicates that a certificate (public-key or attribute certificate) was revoked because a privilege contained within that certificate has been withdrawn.

– aACompromise indicates that it is known or suspected that aspects of the AA validated in the attribute certificate have been compromised.

E spiegano anche tenere e rimuovere; ma hold just significa "temporaneamente revocato" e "remove" viene posto su delta-CRL per dire "uh, quella attesa è stata cancellata". Per X.509 il successivo CRL "completo" semplicemente non elenca più il certificato.

È anche degno di nota il fatto che tecnicamente questa estensione è del tutto facoltativa. Entrambe le RFC 3280 e 5280 affermano che una CA conforme "DOVREBBE" fornire il codice di motivazione. X.509 ha ben poco da dire su quando usarlo, solo che cosa significa se è stato usato.