All, I would like to answer a question here about why the "DRAFT Policy about CRLRevocation Reason Codes for TLS End-Entity Certificates <https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit?usp=sharing>" bans the other reason codes.
In the draft policy, these reason codes are allowed: - keyCompromise (RFC 5280 Reason Flag #1) - affiliationChanged (RFC 5280 Reason Flag #3) - superseded (RFC 5280 Reason Flag #4) - cessationOfOperation (RFC 5280 Reason Flag #5) - privilegeWithdrawn ((RFC 5280 Reason Flag #9) And the following reason codes are banned for TLS end-entity certificates. Meaning that if revocation is for one of the following, then the reasonCode extension MUST NOT be provided for that entry in the CRL. - unspecified (0) - cACompromise (2) - certificateHold (6) - "-- value 7 is not used" - removeFromCRL (8) - aACompromise (10) These banned reason codes are either already banned by the BRs or they are not applicable to end-entity TLS certificates. Below is a detailed explanation for each of them. unspecified (0) Section 7.2.2 of the BRs says: “The CRLReason indicated MUST NOT be unspecified (0). If the reason for revocation is unspecified, CAs MUST omit reasonCode entry extension” cACompromise (2) This reason code is used when revoking an intermediate certificate. When an intermediate certificate is revoked and added to OneCRL all certificates signed by that intermediate certificate are also treated as revoked. https://www.ccadb.org/policy#4-intermediate-certificates says: "If an intermediate certificate is revoked, the CCADB must be updated to mark it as revoked, giving the reason why, within 24 hours for a security incident, and within 7 days for any other reason." Section 4.1 of Mozilla's Root Store Policy says: "If the revocation of an intermediate certificate chaining up to a root in Mozilla’s root program is due to a security concern, as well as performing the actions defined in the CCADB Policy, a security bug must be filed in Bugzilla <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&groups=crypto-core-security> ." certificateHold (6) Section 7.2.2 of the BRs says: “ If a CRL entry is for a Certificate subject to these Requirements, the CRLReason MUST NOT be certificateHold (6).” removeFromCRL (8) Section 4.10.1 of the BRs says: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate.” aACompromise (10) Not applicable to TLS certificates. aACompromise is used for attribute certificates when aspects of the attribute authority (AA) have been compromised. I hope this detailed explanation is helpful. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a1a95cd7-2594-404e-9bd8-92a756ff7945n%40mozilla.org.
