CA/Revocation Reasons: Difference between revisions

Jump to navigation Jump to search

CA/Revocation Reasons (view source)

Revision as of 00:25, 13 April 2022

10 bytes added ,  13 April 2022
continued drafting text
(continued drafting text)
(continued drafting text)
Line 89: Line 89:
The following revocation reason codes are banned for TLS end-entity certificates. Meaning that if revocation is for one of the following, then the reasonCode extension MUST NOT be provided for that entry in the CRL.
The following revocation reason codes are banned for TLS end-entity certificates. Meaning that if revocation is for one of the following, then the reasonCode extension MUST NOT be provided for that entry in the CRL.
* unspecified (RFC 5280 CRLReason #0)
* unspecified (RFC 5280 CRLReason #0)
** Section 5.3.1 of RFC 5280 says: "the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value"
** Section 5.3.1 of RFC 5280 says: ''the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value''
** Section 7.2.2 of the BRs says: "If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension"
** Section 7.2.2 of the BRs says: ''If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension''
* cACompromise  (RFC 5280 CRLReason #2)
* cACompromise  (RFC 5280 CRLReason #2)
** cACompromise is used in revoking a CA-certificate (i.e. an intermediate certificate as opposed to an end-entity certificate); it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
** cACompromise is used in revoking a CA-certificate (i.e. an intermediate certificate as opposed to an end-entity certificate); it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
** When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.  
** When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.  
*** [https://www.ccadb.org/policy#4-intermediate-certificates Section 4 of the CCADB Policy] says: "If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."
*** [https://www.ccadb.org/policy#4-intermediate-certificates Section 4 of the CCADB Policy] says: ''If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason.''
* certificateHold (RFC 5280 CRLReason #6)
* certificateHold (RFC 5280 CRLReason #6)
** Section 7.2.2 of the BRs says: "If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6)."
** Section 7.2.2 of the BRs says: ''If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6).''
*  RFC 5280 CRLReason #7
*  RFC 5280 CRLReason #7
** RFC 5280 says: "-- value 7 is not used"
** RFC 5280 says: ''-- value 7 is not used''
* removeFromCRL  (RFC 5280 CRLReason #8)
* removeFromCRL  (RFC 5280 CRLReason #8)
** Section 5.3.1 of RFC 5280 says: "The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold."
** Section 5.3.1 of RFC 5280 says: ''The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold.''
** Since the BRs do not allow the certificateHold CRLReason to be used, the removeFromCRL reason is not applicable.
** Since the BRs do not allow the certificateHold CRLReason to be used, the removeFromCRL reason is not applicable.
** Additionally, section 4.10.1 of the BRs says: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.
** Additionally, section 4.10.1 of the BRs says: ''Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.''
* aACompromise  (RFC 5280 CRLReason #10)  
* aACompromise  (RFC 5280 CRLReason #10)  
** Not applicable to TLS certificates, because aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised.
** Not applicable to TLS certificates, because aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1241854"

Navigation menu