ETSI EN 319 411-1 How should certificate authorities handle revocation evidence under ETSI EN 319 411-1

Treat revocation evidence as operational proof that the CA followed the CPS procedures required by EN 319 411-1. The CPS needs to state who may submit revocation requests or event reports, how requests are submitted, what confirmation is required, when certificates may be revoked or suspended, how status is distributed, and the maximum delays before relying parties can see the changed status.

For each revocation case, preserve enough evidence to show that the request or report was processed on receipt, authenticated, checked as coming from an authorized source, and converted into updated certificate status within the EN 319 411-1 timing rules.

The evidence set should prove both the case decision and the publication of status information. EN 319 411-1 requires the maximum delay from receipt of a revocation or suspension request to actual status availability for relying parties to be at most 24 hours, and it applies that same maximum where both CRL and online status services are supported.

Where CRLs are used, keep proof that a CRL or variant was published at least every 24 hours until the last CRL for the scope, that each CRL carried the next scheduled issue time unless it was the last CRL, and that the CRL was signed by the CA or a TSP-designated entity. Where OCSP is used, keep responder records and consistency evidence when both OCSP and CRL are provided.

Before closing a revocation evidence file, verify that the file proves the certificate-specific decision, the status-service outcome, and the archive controls. The test is whether an auditor can reconstruct what was requested, who was authorized, what changed, when relying parties could see it, and where the protected records are retained.