Confirm, administrator
5,526
edits
Changes
Created page with "{{DRAFT}} [https://www.mozilla.org/projects/security/certs/policy/ Mozilla's Root Store Policy] (starting with version 2.8) has a section dedicated to CRLRevocation Reasons fo..."
{{DRAFT}}
[https://www.mozilla.org/projects/security/certs/policy/ Mozilla's Root Store Policy] (starting with version 2.8) has a section dedicated to CRLRevocation Reasons for end-entity TLS certificates; e.g. website server authentication certificates. The section was added because Mozilla believes that [[CA/Revocation_Checking_in_Firefox#Revocation_Is_Important|revocation checking is important]], and there were several problems with not having such policy, including:
* There were no policies specifying when certain revocation codes should or should not be used, and no incentive for CAs to use the correct reason codes
* Some CAs were not using revocation reason codes at all for TLS end-entity certificates
* Some CAs were using the same revocation code for every revocation
* Some CAs would revoke certificates without informing their certificate subscribers about the revocation beforehand
* There were no policies specifying the information that CAs should provide to their certificate subscribers about revocation reasons
The following CRLRevocation Reasons may be specified in the CRL reasonCode extension. They MUST be specified under the conditions detailed in section 6.1.1 of Mozilla's Root Store Policy.
* keyCompromise (RFC 5280 CRLReason #1)
* privilegeWithdrawn (RFC 5280 CRLReason #9)
* cessationOfOperation (RFC 5280 CRLReason #5)
* affiliationChanged (RFC 5280 CRLReason #3)
* superseded (RFC 5280 CRLReason #4)
[https://www.mozilla.org/projects/security/certs/policy/ Mozilla's Root Store Policy] (starting with version 2.8) has a section dedicated to CRLRevocation Reasons for end-entity TLS certificates; e.g. website server authentication certificates. The section was added because Mozilla believes that [[CA/Revocation_Checking_in_Firefox#Revocation_Is_Important|revocation checking is important]], and there were several problems with not having such policy, including:
* There were no policies specifying when certain revocation codes should or should not be used, and no incentive for CAs to use the correct reason codes
* Some CAs were not using revocation reason codes at all for TLS end-entity certificates
* Some CAs were using the same revocation code for every revocation
* Some CAs would revoke certificates without informing their certificate subscribers about the revocation beforehand
* There were no policies specifying the information that CAs should provide to their certificate subscribers about revocation reasons
The following CRLRevocation Reasons may be specified in the CRL reasonCode extension. They MUST be specified under the conditions detailed in section 6.1.1 of Mozilla's Root Store Policy.
* keyCompromise (RFC 5280 CRLReason #1)
* privilegeWithdrawn (RFC 5280 CRLReason #9)
* cessationOfOperation (RFC 5280 CRLReason #5)
* affiliationChanged (RFC 5280 CRLReason #3)
* superseded (RFC 5280 CRLReason #4)
