CA/Revocation Reasons: Difference between revisions

Jump to navigation Jump to search

CA/Revocation Reasons (view source)

Revision as of 00:05, 13 April 2022

196 bytes removed ,  13 April 2022
continued drafting text
(continued drafting text)
(continued drafting text)
Line 77: Line 77:


== OCSP ==
== OCSP ==
The [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements] say they following about CRLReasons in OCSP:
Mozilla does not expect there to be CRLReasons in OCSP responses for TLS end-entity certificates.
* Section 7.3: ''Effective 2020‐09‐30, the CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2.''
* Section 7.3.2: ''The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2.5.29.21) CRL entry extension.''


Section 7.3.2 of the BRs says: ''The singleExtensions of an OCSP response MUST NOT contain the reasonCode (OID 2.5.29.21) CRL entry extension.''


 
== certificateHold ==
TO DO
The BRs say the following:
* Address questions about consistency between OCSP and CRL revocation reason codes for a certificate. (Not required by Mozilla)
* Section 7.2.2 says: ''the CRLReason MUST NOT be certificateHold''
 
* Section 7.3 (OCSP Profile) says: ''the CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2.''
 
* Answer question about certificateHold in OCSP responses per RFC 6960?
BRs section 7.2.2: '' the CRLReason MUST NOT be certificateHold''


== Banned Revocation Reasons ==
== Banned Revocation Reasons ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1241851"

Navigation menu