CA/Revocation Reasons: Difference between revisions

Jump to navigation Jump to search

CA/Revocation Reasons (view source)

Revision as of 18:33, 13 April 2022

283 bytes added ,  13 April 2022
Incorporating feedback
(continued drafting text)
(Incorporating feedback)
Line 8: Line 8:
* There were no policies specifying the information that CAs should provide to their certificate subscribers about revocation reasons
* There were no policies specifying the information that CAs should provide to their certificate subscribers about revocation reasons


The following CRLRevocation Reasons may be specified in the CRL reasonCode extension for end-entity TLS certificates. They MUST be specified under the conditions detailed in section 6.1.1 of Mozilla's Root Store Policy (starting with version 2.8).
TLS Certificates may be revoked ONLY for one of the following reasons:
* unspecified (RFC 5280 CRLReason #0)
* keyCompromise (RFC 5280 CRLReason #1)
* keyCompromise (RFC 5280 CRLReason #1)
* affiliationChanged (RFC 5280 CRLReason #3)
* superseded (RFC 5280 CRLReason #4)
* cessationOfOperation (RFC 5280 CRLReason #5)
* privilegeWithdrawn (RFC 5280 CRLReason #9)
* privilegeWithdrawn (RFC 5280 CRLReason #9)
* cessationOfOperation (RFC 5280 CRLReason #5)
 
The CRL reasonCode extension must be used when any of the following reasons are used:
* keyCompromise (RFC 5280 CRLReason #1)
* affiliationChanged (RFC 5280 CRLReason #3)
* affiliationChanged (RFC 5280 CRLReason #3)
* superseded (RFC 5280 CRLReason #4)
* superseded (RFC 5280 CRLReason #4)
* cessationOfOperation (RFC 5280 CRLReason #5)
* privilegeWithdrawn (RFC 5280 CRLReason #9)
If the reason for revocation is unspecified (RFC 5280 CRLReason #0), the CRL reasonCode for that entry must be omitted.


== Communication to Subscribers ==
== Communication to Subscribers ==
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1241870"

Navigation menu