Confirm, administrator
5,526
edits
Changes
continued drafting text
== Communication to Subscribers ==
Section 6.1.1 of Mozilla's Root Store Policy (starting with version 2.8) requires that the CA's subscriber agreement Subscriber Agreement or Terms of Use for TLS end-entity certificates to inform certificate subscribers about the following revocation reasons. Additionally, tools that The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant itself (or made by the CA provides Applicant on behalf of its principal or agent under a subcontractor or hosting service relationship) an obligation and warranty to specify the certificate subscriber MUST allow for these options following revocation reasons when they are applicable to be easily specified when the certificate reason that the subscriber requests revocation of is requesting that their TLS end-entity certificate.* No reason provided** This MUST be the default value in tools provided by the CArevoked.** Certificate subscribers are not required to provide a revocation reason, unless their private key has been compromised.
* keyCompromise (RFC 5280 CRLReason #1)
** The certificate subscriber MUST choose the "keyCompromise" revocation reason when they become aware of or have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate.
* superseded (RFC 5280 CRLReason #4)
** The certificate subscriber SHOULD choose the "superseded" revocation reason when they request a new certificate to replace their existing certificate.
* No reason provided
** When the above reason codes do not apply to the revocation request, the certificate subscriber SHOULD NOT indicate a revocation reason.
== Tools for Requesting Revocation ==
Tools that the CA provides to the certificate subscriber MUST allow for these options to be easily specified when the certificate subscriber requests revocation of their TLS end-entity certificate.
* No reason provided
** This MUST be the default value in tools provided by the CA.
** Certificate subscribers are not required to provide a revocation reason, unless their private key has been compromised.
* keyCompromise (RFC 5280 CRLReason #1)
* cessationOfOperation (RFC 5280 CRLReason #5)
* affiliationChanged (RFC 5280 CRLReason #3)
* superseded (RFC 5280 CRLReason #4)
<br>
'''NOTE:''' The following revocation reason does '''not''' need to be documented in the CA's subscriber agreement for TLS-end-entity certificates and does '''not''' need to be made available to the certificate subscriber as a revocation reason option, because the use of this reason is determined by the CA and not the subscriber.
* privilegeWithdrawn (RFC 5280 CRLReason #9)**
== Key Compromise ==
