Confirm, administrator
5,526
edits
Changes
continued drafting text
The following revocation reason codes are banned for TLS end-entity certificates. Meaning that if revocation is for one of the following, then the reasonCode extension MUST NOT be provided for that entry in the CRL.
* unspecified (RFC 5280 CRLReason #0)
** Section 5.3.1 of RFC 5280 says: "''the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value"''** Section 7.2.2 of the BRs says: "''If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension"''
* cACompromise (RFC 5280 CRLReason #2)
** cACompromise is used in revoking a CA-certificate (i.e. an intermediate certificate as opposed to an end-entity certificate); it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised.
** When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked.
*** [https://www.ccadb.org/policy#4-intermediate-certificates Section 4 of the CCADB Policy] says: "''If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason."''
* certificateHold (RFC 5280 CRLReason #6)
** Section 7.2.2 of the BRs says: "''If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6)."''
* RFC 5280 CRLReason #7
** RFC 5280 says: "''-- value 7 is not used"''
* removeFromCRL (RFC 5280 CRLReason #8)
** Section 5.3.1 of RFC 5280 says: "''The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold."''
** Since the BRs do not allow the certificateHold CRLReason to be used, the removeFromCRL reason is not applicable.
** Additionally, section 4.10.1 of the BRs says: “Revocation ''Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.”''
* aACompromise (RFC 5280 CRLReason #10)
** Not applicable to TLS certificates, because aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised.
