== Communication to Subscribers ==
TO DO* Suggestions about language that can be used Section 6.1.1 of Mozilla's Root Store Policy requires the CA's subscriber agreement for TLS end-entity certificates to inform certificate subscribers about the following revocation reasons. Additionally, tools that the CA provides to the certificate subscriber MUST allow for these options to be easily specified when the certificate subscriber requests revocation of their choice for TLS end-entity certificate.* No reason provided** This MUST be the default value in tools provided by the CA.** Certificate subscribers are not required to provide a revocation reason, and unless their private key has been compromised.** We expect that they can leave it unspecified there will not be a reason provided for most revocations.* keyCompromise (default valueRFC 5280 CRLReason #1) if ** This revocation reason MUST be selected by the certificate subscriber when they do not knowbecome aware or have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate. * cessationOfOperation (RFC 5280 CRLReason #5)** The most common certificate subscriber MAY choose this revocation reason that Subscribers revoke certificates when they will no longer be using the certificate, and there is because they were told no reason to by suspect that the private key has been compromised.* affiliationChanged (RFC 5280 CRLReason #3)** The certificate subscriber MAY choose this revocation reason when their Security teamorganization's name or other organizational information in the certificate has changed, with and there is no explanationreason to suspect that the private key has been compromised. * Make it clear that we expect most revocations superseded (RFC 5280 CRLReason #4)** The certificate subscriber MAY choose this revocation reason when they want to not have a replace their certificate, and there is no reason. Subscribers are not required to select a reason code unless their suspect that the private key has been compromised.<br>'''NOTE:''' The following revocation reason does '''not''' need to be documented in the CA's subscriber agreement for TLS-end-entity certificates and does '''not''' need to be made available to the certificate subscriber as a revocation reason option, because the use of this reason is determined by the CA and not the subscriber.* privilegeWithdrawn (RFC 5280 CRLReason #9)**
== Key Compromise ==
