PKI 10.4 CMC Revocation

Overview

In RFC5272, CMC revocation requests are done with the id-cmc-revokeRequest control. In releases prior to PKI 10.4, there appear to be two ways intended for submitting a CMC revocation request.

• One is via ca/ee/ca/CMCRevReq.html, which would lead into backend servlet CMCRevReqServlet.java and authenticate the CMC signer using the above-mentioned agent authentication method, CMCAuth.

  • This provision is provided at the CA EE portal CMC Revoke tab.

  • This method is actually in violation with the RFC 5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response, so HTML is not an approved method.

• The other method follows the same path as the CMC requests described above by submitting directly to the /ca/ee/ca/profileSubmitCMCFull servlet, where it is authenticated with the agent authenticator CMCAuth. While in terms of CMC Protocol (RFC 5273) it is conforming, it is limited to agent authentication, much like CMC enrollment requests prior to PKI 10.4.

Note: The second method described above had not been maintained or tested so it appears not to work prior to this release. It is unclear when it was broken, but the intent is to fix it for this release and add the additional feature below.

In this release, we will add revocation handling to the new /ca/ee/ca/profileSubmitUserSignedCMCFull servlet with the method 2 described above so that a user with matching subjectdn can sign its own revocation requests.

See Also

• PKI 10.4 CMC Shared Token

• Revoking Certificate with CMC Shared Token