The following reason codes are banned for TLS end-entity certificates. Meaning that if revocation is for one of the following, then the reasonCode extension MUST NOT be provided for that entry in the CRL.
* unspecified (0)
** Section 7.2.2 of the BRs says: “The CRLReason indicated MUST NOT be unspecified (0). If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension”
* cACompromise (2)
** This reason code is used when revoking an intermediate certificate.
** When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.
** https://www.ccadb.org/policy#4-intermediate-certificates says: "If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."
* certificateHold (6)
** Section 7.2.2 of the BRs says: “ If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6).”
* "-- value 7 is not used"
* removeFromCRL (8)
** Section 4.10.1 of the BRs says: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.”
* aACompromise (10)
These banned reason codes are either already banned by the BRs or they are not applicable to end-entity TLS certificates. Below is a detailed explanation for each of them. unspecified (0)Section 7.2.2 of the BRs says: “The CRLReason indicated MUST NOT be unspecified (0). If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension” cACompromise (2)This reason code is used when revoking an intermediate certificate.When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.https://www.ccadb.org/policy#4-intermediate-certificates says: "If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."Section 4.1 of Mozilla's Root Store Policy says: "If the revocation of an intermediate certificate chaining up to a root in Mozilla’s root program is due to a security concern, as well as performing the actions defined in the CCADB Policy, a security bug must be filed in Bugzilla." certificateHold (6)Section 7.2.2 of the BRs says: “ If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6).” removeFromCRL (8)Section 4.10.1 of the BRs says: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.” aACompromise (10)** Not applicable to TLS certificates. aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised.
