Confirm, administrator
5,526
edits
Changes
continued drafting text
TO DO<br>
The following reason codes are banned for TLS end-entity certificates. Meaning that if revocation is for one of the following, then the reasonCode extension MUST NOT be provided for that entry in the CRL.
* unspecified (RFC 5280 CRLReason #0)
** Section 7.2.2 of the BRs says: “The CRLReason indicated MUST NOT be unspecified (0). If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension”
* cACompromise (RFC 5280 CRLReason #2)
** This reason code is used when revoking an intermediate certificate.
** When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.
** https://www.ccadb.org/policy#4-intermediate-certificates says: "If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."
* certificateHold (RFC 5280 CRLReason #6)
** Section 7.2.2 of the BRs says: “ If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6).”
* RFC 5280 CRLReason #7** RFC 5280 says: "-- value 7 is not used"* removeFromCRL (RFC 5280 CRLReason #8)
** Section 4.10.1 of the BRs says: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.”
* aACompromise (RFC 5280 CRLReason #10)
** Not applicable to TLS certificates. aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised.
