Doug, I believe I have addressed all of the items that you recently raised in the DRAFT Policy about CRLRevocation Reason Codes for TLS Server Certs <https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit?usp=sharing>. Would you please double-check?
#1) added "for that subscriber" to the last sentence of the second bullet under the scope of the keyCompromise. The CA MUST NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers, but MAY block issuance of future certificates with that key for that subscriber. #2) Rephrased the last bullet point in the privilegeWithdrawn section the CA determines or is made aware that the original certificate request was not authorized and does not retroactively grant authorization. #3) Rephrased parts of the superseded section - the certificate subscriber has requested a new certificate to replace an existing certificate; or - the CA has revoked the certificate for compliance reasons ... #4) General question I broke up some of the paragraphs into bullet points to hopefully make it easier to read. I separated moved the "Otherwise, the <reason> CRLReason MUST NOT be used." sentence to the bottom of each section, as it's own paragraph. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6112ab9e-43b3-4c2a-9a28-b307e982ef24n%40mozilla.org.
