DigitalKey - Certificate revocation
This is necessary if you think that your
DigitalKey was compromised (eavesdropping, or copied or whatever ...). This is if you think that someone else could use your
DigitalKey to impersonate you (act on your behalf without authorization). You can use revocation feature ONCE for free. You need a valid openOSI Digital Key for revocation, installed in your browser.
When a
DigitalKey is revoked, it could no longer be used to authenticate in any of the application of the identity federation, openOSI.org belongs to. When a Digitalkey is revoked you have to ask a new one. When applications use your openOSI
DigitalKey, they always may check on line if your
DigitalKey is not revoked. For this we use http servers , OCSP
(RFC2560) protocol, CMP
(RFC4210) protocol, SCEP.
HTTP URL of certificate revocation lists (CRL) , OCSP and CMP servers are embedded in your openOSI
DigitalKey
LDAP URL of certificate revocation lists (CRL) , OCSP and CMP servers are embedded in your openOSI
DigitalKey
- ldap://ldap.openosi.org/CN=openosiCA1-DC,ou=PKI,dc=openOSI,dc=org?certificateRevocationList
- ldap://ldap.openosi.org/CN=openosiCA2-DC,ou=PKI,dc=openOSI,dc=org?certificateRevocationList
- ldap://ldap.openosi.org/CN=openosiCA3-EU,OU=PKI,O=openOSI,C=EU?certificateRevocationList
Because revocation implies an administration activity, and put a burden on Certificate Revocation List and OCSP servers. You can only revoke ONCE for free. Additional revocations use commercial support.
Certificate revocation Reasons
- unused : You don't use openOSI DigitalKey anymore
- Compromised : Private key part of DigitalKey Compromised
- affiliationChanged : DigitalKey owner organisation affiliation Changed
- superseded : Seeking an other DigitalKey class
- accessCanceled : You want to suppress related access rights
- endOfOperation : You cease operations or you disappear
- Temporary revocation : You are unsure of underlying problem, this is the only reversible revocation
