4.9.2
Who Can Request Revocation
The Issuer CA or RA shall accept revocation requests from authenticated and authorized parties,
such as the certificate Subscriber or the Affiliated Organization named in a Certificate. The
Issuer CA or RA may establish procedures that allow other entities to request Certificate
revocation for fraud or misuse. The Issuer CA shall revoke a Certificate if it receives sufficient
evidence of compromise of loss of the Private Key The Issuer CA may revoke a Certificate of its
own volition without reason, even if no other entity has requested revocation.
Regarding code signing certificates, Issuer CAs that issue code signing certificates must provide
Anti- Malware Organizations, Subscribers, Relying Parties, Application Software Suppliers, and
other third parties with clear instructions on how they can report suspected Private Key
Compromise, Certificate misuse, Certificates used to sign Suspect Code, Takeover Attacks, or
other types of possible fraud, compromise, misuse, inappropriate conduct, or any other matter
related to Certificates. Issuer CAs must publicly disclose the instructions on its website.
4.9.3
Procedure for Revocation Request
The Issuer CA shall provide a process for Subscribers to request revocation of their own
Certificates. The process must be described in the Issuer CA’s CPS.
The Issuer CA shall provide Subscribers, Relying Parties, application software suppliers, and
other third parties with clear instructions for reporting suspected Private Key Compromise,
Certificate misuse, or other types of fraud, compromise, misuse, inappropriate conduct, or any
other matter related to Certificates. The Issuer CA shall publicly disclose the instructions
through a readily accessible online means and in section 1.5.2 of their CPS. The Issuer CA shall
maintain a continuous 24/7 ability to internally respond to any high priority Certificate problem
reports. If appropriate, the Issuer CA or the RA may forward complaints to law enforcement.
The Issuer CA or RA shall authenticate and log each revocation request. The Issuer CA will
always revoke a Certificate if the request is authenticated as originating from the Subscriber or
the Affiliated Organization listed in the Certificate. If revocation or a problem report
investigation is requested by someone other than an authorized representative of the
Subscriber or Affiliated Organization, the Issuer CA or RA shall investigate the alleged basis for
the revocation request.
CA/RA Administrators are entitled to request the revocation of end-user Subscriber Certificates
within the CA’s/RA’s Subdomain. Issuer CAs shall authenticate the identity of Administrators
before permitting them to perform revocation functions.
4.9.4
Revocation Request Grace Period
The revocation request grace period is the time available to the subscriber within which the
subscriber must make a revocation request after reasons for revocation have been identified.
Issuer CAs and RAs are required to report the suspected compromise of their CA or RA Private
Key and request revocation to both the policy authority and operating authority of the superior
issuing CA within one hour of discovery.
Subscribers shall request revocation as soon as possible if the Private Key corresponding to
the Certificate is lost or compromised or if the certificate data is no longer valid. The Issuer
CA may extend revocation grace periods on a case-by-case basis if it does not violate this CP,
the CPS, or any of the relevant requirements as listed in the sources of section 1.6.3.
4.9.5
Time within which CA Must Process the Revocation Request
An Issuer CA shall revoke a Certificate within one hour of receiving appropriate instruction
from the DCPA. An Issuer CA shall revoke the CA Certificate of a subordinate or cross-signed CA
as soon as practical after receiving proper notice that the subordinate or cross-signed CA has
been compromised. Except as otherwise set forth in section 4.9.1.2 of the Baseline