Confirmed users, Administrators
5,526
edits
CA/Revocation Reasons: Difference between revisions
Jump to navigation
Jump to search
continued drafting text
m (minor update) |
(continued drafting text) |
||
| Line 16: | Line 16: | ||
== Communication to Subscribers == | == Communication to Subscribers == | ||
Section 6.1.1 of Mozilla's Root Store Policy requires the | Section 6.1.1 of Mozilla's Root Store Policy (starting with version 2.8) requires that the Subscriber Agreement or Terms of Use for TLS end-entity certificates inform certificate subscribers about the following revocation reasons. The Subscriber Agreement or Terms of Use MUST contain provisions imposing on the Applicant itself (or made by the Applicant on behalf of its principal or agent under a subcontractor or hosting service relationship) an obligation and warranty to specify the following revocation reasons when they are applicable to the reason that the subscriber is requesting that their certificate be revoked. | ||
* keyCompromise (RFC 5280 CRLReason #1) | * keyCompromise (RFC 5280 CRLReason #1) | ||
** The certificate subscriber MUST choose the "keyCompromise" revocation reason when they become aware of or have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate. | ** The certificate subscriber MUST choose the "keyCompromise" revocation reason when they become aware of or have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate. | ||
| Line 28: | Line 26: | ||
* superseded (RFC 5280 CRLReason #4) | * superseded (RFC 5280 CRLReason #4) | ||
** The certificate subscriber SHOULD choose the "superseded" revocation reason when they request a new certificate to replace their existing certificate. | ** The certificate subscriber SHOULD choose the "superseded" revocation reason when they request a new certificate to replace their existing certificate. | ||
* No reason provided | |||
** When the above reason codes do not apply to the revocation request, the certificate subscriber SHOULD NOT indicate a revocation reason. | |||
== Tools for Requesting Revocation == | |||
Tools that the CA provides to the certificate subscriber MUST allow for these options to be easily specified when the certificate subscriber requests revocation of their TLS end-entity certificate. | |||
* No reason provided | |||
** This MUST be the default value in tools provided by the CA. | |||
** Certificate subscribers are not required to provide a revocation reason, unless their private key has been compromised. | |||
* keyCompromise (RFC 5280 CRLReason #1) | |||
* cessationOfOperation (RFC 5280 CRLReason #5) | |||
* affiliationChanged (RFC 5280 CRLReason #3) | |||
* superseded (RFC 5280 CRLReason #4) | |||
<br> | <br> | ||
'''NOTE:''' The following revocation reason does '''not''' need to be documented in the CA's subscriber agreement for TLS-end-entity certificates and does '''not''' need to be made available to the certificate subscriber as a revocation reason option, because the use of this reason is determined by the CA and not the subscriber. | '''NOTE:''' The following revocation reason does '''not''' need to be documented in the CA's subscriber agreement for TLS-end-entity certificates and does '''not''' need to be made available to the certificate subscriber as a revocation reason option, because the use of this reason is determined by the CA and not the subscriber. | ||
* privilegeWithdrawn (RFC 5280 CRLReason #9) | * privilegeWithdrawn (RFC 5280 CRLReason #9) | ||
== Key Compromise == | == Key Compromise == | ||