- OBJECTIVE: Verify the certificate revocation statuses to be either or both of CRLs as defined by and subject to the requirements of ITU-T X.509 [\[1\]](#_ref_1), or OCSP responses as defined by and subject to the requirements of RFC 6960 [\[i.3\]](#_ref_i.3).
- PREPARATION: Document the circumstances in which the certificate generation service may issue a public-key certificate. Ability to request a certificate issuance. Ability to configure revocation aspects of the certificate profile if supported.
- ACTIVITIES:
a) Attempt to configure the certificate profile to not offer any revocation source in issued certificates;
a.1) if successful, request a certificate for each way the PKI may issue a public-key certificate, and verify the issuances to fail.
b) For each way the PKI may successfully issue a public-key certificate:
b.1) request a certificate;
b.2) verify the issued certificate to contain information allowing a verifier to obtain a CRL or OCSP response.
- VERDICT: SUCCESS if all the verifications pass; else FAIL.
- EVIDENCE:
a) The configuration attempts, or other evidence such configuration is not supported;
b) the way issuances were requested, and the responses from the PKI.
- REFERENCE: ASS-REQ-6.5-02
- OBJECTIVE: Verify the PKI implements and enforces a CRL profile for issued CRLs.
