=== Revocation of Compromised Certificates ===
CAs must revoke certificates with private keys that are known to be compromised, or for which verification of subscriber information is known to be invalid. CAs must use CRL revocation reason codes in accordance with [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#611-end-entity-tls-certificate-crlrevocation-reasons MRSP section 6.1.1]. See also [https://wiki.mozilla.org/CA/Revocation_Reasons Revocation Reasons] for additional guidance.
=== Verifying Domain Name Ownership ===