Changes

Jump to: navigation, search

CA/Revocation Reasons

303 bytes removed, 23:50, 22 March 2022
continued drafting text
* unspecified (RFC 5280 CRLReason #0)
** Section 5.3.1 of RFC 5280 says: "the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value"
** Section 7.2.2 of the BRs says: "The CRLReason indicated MUST NOT be unspecified (0). If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension"
* cACompromise (RFC 5280 CRLReason #2)
** cACompromise is used in revoking a CA-certificate(i.e. an intermediate certificate as opposed to an end-entity certificate); it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.** In other words, this reason code is used when revoking an intermediate certificate.
** When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.
*** [https://www.ccadb.org/policy#4-intermediate-certificates Section 4 of the CCADB Policy] says: "If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."
* certificateHold (RFC 5280 CRLReason #6)
** Section 7.2.2 of the BRs says: "If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6)."
* removeFromCRL (RFC 5280 CRLReason #8)
** Section 5.3.1 of RFC 5280 says: "The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold."
*** An entry with this removeFromCRL reason code shall be used in delta-CRLs for which the corresponding base CRL or any subsequent (delta or complete for scope) CRL contains an entry for the same certificate with reason code certificateHold.
** Since the BRs do not allow the certificateHold CRLReason to be used, the removeFromCRL reason is not applicable.
** Additionally, section 4.10.1 of the BRs says: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.”
* aACompromise (RFC 5280 CRLReason #10)
** Not applicable to TLS certificates. ** , because aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised.
Kathleen Wilson
Confirm, administrator
5,526
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1241365"

Navigation menu