ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations

Start with the CPS because EN 319 411-1 makes revocation operations a published practice, not only a back-office ticket queue. The CPS needs to state who can submit revocation requests or event reports, how those requests are submitted, what confirmation is required, whether certificates can be suspended or revoked, which mechanism distributes status information, and the maximum delays before relying parties can see the status change.

The operating design should separate revocation management from revocation status distribution. Revocation management decides the action to take on a request or event report; the status service exposes the resulting certificate status to relying parties through OCSP, CRL, or both.

EN 319 411-1 requires timely revocation based on authorized and validated requests, and it also names events that require revocation of non-expired certificates. The operational file should therefore prove the full path: request or event report received, authenticated, checked against the authorized source, decided by the responsible trusted role, and converted into updated status information.

If suspension is available, keep it distinct from definitive revocation. A definitively revoked certificate is not reinstated, while a suspended certificate needs its own status-change and notification handling. Where possible, the subject and subscriber should be informed when a certificate is revoked or suspended.

Where CRLs are used for end-user certificates, EN 319 411-1 gives concrete operating checks. A CRL or variant, such as a delta CRL, is published at least every 24 hours until the last CRL has been published. Each CRL states the time of the next scheduled CRL issue unless it is the last CRL for that certificate scope, and the CRL is signed by the CA or an entity designated by the TSP.

A useful CRL evidence file shows the published CRL, publication timestamp, nextUpdate value, signing authority, certificate scope, and any delta or last-CRL handling. It should also show how relying parties find the CRL and how the CA confirms that changed revocation status reached the CRL path within the CPS timing commitment.

EN 319 411-1 requires services for checking certificate status and says OCSP or CRL shall be supported, with OCSP recommended. Revocation status information must be available 24 hours per day, seven days per week, protected for integrity and authenticity, include status information at least until the certificate expires, and be publicly and internationally available.

When both CRL and OCSP are used, status updates need to become available through all supported methods. The services also need to remain consistent over time, while allowing documented differences in update delays. If those delays exist or are possible, the CPS should explain their origin and how relying parties should interpret temporary differences.

Use this checklist before an audit handoff or customer evidence request. It is scoped to operational proof for revocation and status services; it does not supersede the full EN 319 411-1 conformity assessment or any external scheme requirement.