See an additional comment below: On Tue, Apr 19, 2022 at 2:11 PM Ben Wilson <[email protected]> wrote:
> See responses below. > > On Tue, Apr 19, 2022 at 2:56 AM Dimitris Zacharopoulos <[email protected]> > wrote: > >> >> Hi Ben, >> >> Here are the comments from the HARICA team: >> > ... > >> - >> * superseded * >> >> - *"**the CA obtains reasonable evidence that the validation of >> domain authorization or control for any fully‐qualified domain name or IP >> address in the certificate should not be relied upon; or"* >> - * "the CA has revoked the certificate for compliance reasons such >> as the certificate does not comply with this policy, the CA/Browser >> Forum's >> Baseline Requirements, or the CA’s CP or CPS."* >> >> >> Looking at these reasons, we have very similar intent for the reason >> "privilegeWithdrawn". Most probably, the intent of the revocationReason is >> to indicate *why* a certificate has been revoked. Relying Parties >> probably don't care if a new certificate has been issued to replace a >> revoked one or not, but are more interested on why a particular certificate >> was revoked. >> > > What if we combine the second and third bullets (failure of domain/IP > address verification and compliance reasons) to read, "the CA has revoked > the certificate because it was not issued in full compliance with this > policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or > CPS."? The reason being that we want "superseded" to encompass certificate > replacement situations where there has not been a Subscriber's breach > (privilegeWithdrawn). > On second thought, I think that the second bullet under "superseded" can be deleted and that the third bullet can be left "as is". So it would read, *The CRLReason superseded is intended to be used to indicate when:* - *the certificate subscriber has requested a new certificate to replace an existing certificate; or* - *the CA has revoked the certificate for compliance reasons such as the certificate does not comply with this policy, the CA/Browser Forum's Baseline Requirements, or the CA’s CP or CPS.* -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZoVSOjFfkQrGAvsr-BKwmENEBW%2BhhhSG%2BhZWpqiy6mVw%40mail.gmail.com.
