Confirm, administrator
5,526
edits
Changes
Added further clarifications
For example, if both privilegeWithdrawn and cessationOfOperation apply, then privilegeWithdrawn should be used.
Each sub-section within section 6.1.1 of Mozilla's Root Store policy ends with the sentence: "Otherwise, the <reason code> CRLReason MUST NOT be used." That sentence applies to the entire sub-section for each revocation reason code.
Treat the "intended" list within each sub-section as "SHOULD" (e.g. "The CRLReason <reason code> is intended to be used to indicate when:").
For example, if the certificate subscriber still owns the domain name and just turns off their web server without revoking their certificate for cessationOfOperation, the CA operator is not responsible for revoking the certificate unless the CA operator becomes aware of keyCompromise or the subscriber agreement not being followed, or until the CA operator receives verifiable evidence that the certificate subscriber no longer controls, or is no longer authorized to use, all of the domain names in the certificate.
== OCSP ==
