Matthew’s understanding matches mine. As far as I’m aware, the only requirements in currently place are that the following reason codes are either explicitly prohibited or non-sensical for end-entity TLS certificates:
* Unspecified (CAs must not explicitly encode this value, per the BRs) * certificateHold (suspension is prohibited) * removeFromCRL (suspension is prohibited, so specifying this value makes no sense) * cACompromise (this reason code is for CA certificates only) * aACompromise (this reason code is for attribute certificates only; TLS certs are PKC certs) Any other reason code can be assigned for any reason. This will change in October, when the new Mozilla policy that Matthew pointed out comes into effect. Thanks, Corey From: 'Matthew McPherrin' via [email protected] <[email protected]> Sent: Tuesday, August 9, 2022 5:40 PM To: Tavis Ormandy <[email protected]> Cc: [email protected] Subject: Re: BR revocation question The only restrictions on reason codes for revocations that I am aware of is Mozilla's recent addition to their root program rules, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#611-end-entity-tls-certificate-crlrevocation-reasons The corresponding wiki page definitely appears to imply that reason codes were generally not restricted, https://wiki.mozilla.org/CA/Revocation_Reasons (but I am far from an expert in such policy matters) On Tue, Aug 9, 2022 at 2:52 PM Tavis Ormandy <[email protected] <mailto:[email protected]> > wrote: Apologies if I send this twice, I tried posting it via gmane and I think it failed. I understand the BRs require revocation in some circumstances, but are there any limits on when an issuer can revoke? Can they revoke for any reason whatsoever? Is the reason code required to be honest? I was recently surprised by an issuer demanding maintenance fees to *not* revoke a certificate. The certificate was not compromised and not expiring. Is this permitted by the BRs? It feels like misusing a mechanism that was intended to protect the PKI, not extract profit. I was being lazy and not migrating a very old system to ACME. I've migrated it now, because that felt really gross. I don't know what reason code they use for the revocation, I guess I'm curious if they will lie. Tavis. -- _o) $ lynx lock.cmpxchg8b.com <http://lock.cmpxchg8b.com> /\\ _o) _o) $ finger [email protected] <mailto:[email protected]> _\_V _( ) _( ) @taviso -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:dev-security-policy%[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220809175618.GA9423%40thinkstation.cmpxchg8b.net. -- You received this message because you are subscribed to the Google Groups "[email protected] <mailto:[email protected]> " group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0a1RxXsYuU74EXN8VPXxzgSV__rGwFVA%3DuUMB%3DxXLFimg%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0a1RxXsYuU74EXN8VPXxzgSV__rGwFVA%3DuUMB%3DxXLFimg%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186E8272A2B9CD0F4D7E84D92659%40DM6PR14MB2186.namprd14.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
