Changes

Section 6.1.1 of Mozilla's Root Store Policy (starting with version 2.8) requires that the Subscriber Agreement or Terms of Use for TLS end-entity certificates inform certificate subscribers about the following revocation reasons. The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant itself (or made by the Applicant on behalf of its principal or agent under a subcontractor or hosting service relationship) an obligation and warranty to specify the following revocation reasons when they are applicable to the reason that the subscriber is requesting that their certificate be revoked.

* keyCompromise (RFC 5280 CRLReason #1)

** The certificate subscriber MUST choose the "keyCompromise" revocation reason when they become aware of or have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate.

* affiliationChanged (RFC 5280 CRLReason #3)

** The certificate subscriber SHOULD choose the "affiliationChanged" revocation reason when their organization's name or other organizational information in the certificate has changed.

* superseded (RFC 5280 CRLReason #4)

** The certificate subscriber SHOULD choose the "superseded" revocation reason when they request a new certificate to replace their existing certificate.

Section 7.2.2 of the [https://cabforum.org/baseline-requirements-documents/ CA Browser Forum Baseline Requirements] says: