On Fri, Jun 24, 2022 at 12:06 PM Ben Wilson <[email protected]> wrote:
> I think it would be appropriate to shield the "affiliationChanged" reason > code from appearing in your CRLs when you only issue DV certificates, and > they don't include Subject Identity Information. > We intend to specify the same reasonCodes in both CRLs and OCSP responses. The most straightforward choice would be for us to reject subscriber revocation requests that specify "affiliationChanged", requiring the subscriber to choose a more correct reasonCode. A second choice would be to accept those subscriber revocation requests but silently change them to "unspecified" before writing to our storage. - "subject's name" is not totally clear to me. From context it seems like > it means a subset of "subject identity information" (specifically the > Organization field), but that would be redundant. Alternatively, it could > refer to the entire Subject field (which is encoded as an X.501 Name), but > then "subject identity information" would be a subset of "name" and it > would be redundant in the other direction. > > Yes. We should have been more clear that Subject Identity Information" > refers to the definition in the BRs. We can make this clearer in the > guidance. > Sounds good! What about "subject's name" - what does that refer to? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4Q%3D8VkUGfE%2Bb4wrG4EXtb%3DdpkxWiVJ4fyuCkF%2BuaTu3bmQ%40mail.gmail.com.
