Service CA Revocation v1¶
Source schema: doc/schemas/service-ca-revocation.v1.schema.json
Signed governance or operator fact revoking scoped Service CA material. This is a revocation candidate until the local node verifies the signature and accepts the issuer under local trust policy.
Governing Basis¶
doc/project/40-proposals/056-orbiplex-tls-trust-policy.mddoc/project/60-solutions/024-tls-trust-policy/024-tls-trust-policy.md
Project Lineage¶
Fields¶
| Field | Required | Shape | Description |
|---|---|---|---|
schema |
yes |
const: service-ca-revocation.v1 |
|
revocation/id |
yes |
string | |
ca/id |
yes |
string | |
material/digest |
no |
ref: #/$defs/sha256Digest |
Optional canonical payload or PEM digest. When omitted, the revocation applies to all active local candidates with the same ca/id. |
revoked/at |
yes |
string | |
reason-code |
yes |
enum: key-compromise, scope-withdrawn, superseded, operator-request, policy-violation, diagnostic |
|
issuer |
yes |
ref: #/$defs/issuer |
|
policy/ref |
no |
string | |
signature |
yes |
ref: #/$defs/signature |
Definitions¶
| Definition | Shape | Description |
|---|---|---|
issuer |
object | |
signature |
object | |
sha256Digest |
string | |
| ## Field Semantics |
schema¶
- Required:
yes - Shape: const:
service-ca-revocation.v1
revocation/id¶
- Required:
yes - Shape: string
ca/id¶
- Required:
yes - Shape: string
material/digest¶
- Required:
no - Shape: ref:
#/$defs/sha256Digest
Optional canonical payload or PEM digest. When omitted, the revocation applies to all active local candidates with the same ca/id.
revoked/at¶
- Required:
yes - Shape: string
reason-code¶
- Required:
yes - Shape: enum:
key-compromise,scope-withdrawn,superseded,operator-request,policy-violation,diagnostic
issuer¶
- Required:
yes - Shape: ref:
#/$defs/issuer
policy/ref¶
- Required:
no - Shape: string
signature¶
- Required:
yes - Shape: ref:
#/$defs/signature
Definition Semantics¶
$defs.issuer¶
- Shape: object
$defs.signature¶
- Shape: object
$defs.sha256Digest¶
- Shape: string