Confirm, administrator
5,526
edits
Changes
continued drafting text
** We expect that there will not be a reason provided for most revocations.
* keyCompromise (RFC 5280 CRLReason #1)
** This The certificate subscriber MUST choose the "keyCompromise" revocation reason MUST be selected by the certificate subscriber when they become aware of or have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate.
* cessationOfOperation (RFC 5280 CRLReason #5)
** The certificate subscriber MAY SHOULD choose this the "cessationOfOperation" revocation reason when they no longer own all of the domain names in the certificate or when they will no longer be using the certificate, and there is no reason to suspect that the private key has been compromisedbecause they are discontinuing their website.
* affiliationChanged (RFC 5280 CRLReason #3)
** The certificate subscriber MAY SHOULD choose this the "affiliationChanged" revocation reason when their organization's name or other organizational information in the certificate has changed, and there is no reason to suspect that the private key has been compromised.
* superseded (RFC 5280 CRLReason #4)
** The certificate subscriber MAY SHOULD choose this revocation the "superseded" reason when they request a new certificate to replace their existing certificate, and there is no reason to suspect that the private key has been compromised.
<br>
'''NOTE:''' The following revocation reason does '''not''' need to be documented in the CA's subscriber agreement for TLS-end-entity certificates and does '''not''' need to be made available to the certificate subscriber as a revocation reason option, because the use of this reason is determined by the CA and not the subscriber.
