OpenSCEP includes a web form to revoke certificates. But since this is a highly sensitive operation, proper consideration for the scecurity issues involved should be given.
First it is important to note that X.509 does not specifiy how revocation should be done, only the result of the revocation, the certificate revocation list is specified. There are however two possible ways to authenticate the requestor of a certificate revocation:
OpenSCEP implements these two cases. In the first case, the OpenSCEP CGI programs expect the surrounding web server to perform the authentication of the user. As an Apache server has a plethora of authentication methods, this gives quite some flexibility. However, if a basic authentication method is used, the connections should be protected from eavesdroppers using SSL.
OpenSCEP does not attribute different rights to different certificates, any administrator allowed to perform revocation without challenge password can revoke any certificate he likes. Trusted administrators must be defined in the crlusers configuration variable in openscep.cnf.
In the second case, any user having access to the web server can revoke any certificate of which she knows the challenge password. The challenge password is verified against the directory.