Specify revocation reason when revoking TLS certificates

 

From October 1st 2022 Mozilla requires in their Mozilla Root Store Policy that if a TLS certificate is revoked due to some well defined reasons, the revocation reason must be specified. As a CA operator with root CAs in all relevant root stores, Buypass is obligated to comply with these type of requirements and you will find more details about what this means on this page.

Background

The revocation of a certificate implies that the certificate will be invalidated for the remaining certificate lifetime. Buypass supports revocation of all types of certificates, including TLS certificates and also provides revocation status services like CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol).

When a certificate is revoked it’s possible to specify a reason for the revocation and a reasonCode (see https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1 ) will be available together with information about the revoked certificate and time of revocation. This reasonCode is available both in the CRL and OCSP services.

From October 1st 2022, Mozilla requires that if a TLS certificate is revoked for some specific reasons, the reason shall be specified and the corresponding reasonCode shall be published in CRL and OCSP. See https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#6-revocation for more information.

Revocation reason options

In the industry standard describing revocation different revocation reason options are defined and some of them are mandatory when revoking TLS certificates.

The table below gives and overview of the mandated revocation reason options, the reason code to use and whether the Subscriber or Buypass (or both) may specify the actual revocation reason option. Some revocation reason options are available for the Subscriber and all are available for Buypass.

Revocation reason option

ReasonCode

Used by Subscriber

Used by Buypass

Revocation reason option

ReasonCode

Used by Subscriber

Used by Buypass

There is reason to believe that the private key has been compromised, e.g. an unauthorized person has had access to the private key.

keyCompromize (#1)

YES

YES

The Subscriber’s organization's name or other organizational information in the certificate (e.g. address) has changed.

affiliationChanged (#3)

YES

YES

The Subscriber has requested a new certificate to replace their existing certificate.

superseded (#4)

YES

YES

The certificate is revoked for compliance reasons, i.e. the certificate does not comply with relevant requirements

superseded (#4)

NO

YES

The Subscriber do no longer use or own all of the domain names in the certificate.

cessationOfOperation (#5)

YES

YES

The Subscriber has violated obligations in the Subscriber agreement

privilegeWithdrawn (#9)

NO

YES

If a certificate is revoked for any other reason than those listed above, no reason code shall be specified.

Revocation reason options specified by the Subscriber

These are the revocation reason options that the Subscriber may specify when revoking or requesting a revocation of a certificate. Subscribers are able to specify these options in all tools and services Buypass provides and we urge all Subscribers to specify a revocation reason option if this is relevant for the actual revocation.

If a Subscriber request a replacement for an existing certificate, the original certificate should be revoked and we urge the Subscriber to revoke the original certificate as soon as possible after the replacement certificate has been installed.

The private key has been compromised (code #1)

The Subscriber have reason to believe that the private key of their certificate has been compromised, e.g. an unauthorized person has had access to the private key of their certificate.

In this case, Buypass will reject future certificate applications using the same key, i.e. the key will be blacklisted. It’s important for the Subscriber to not specify this option unless the private key actually has been compromised and they do not intend to use the same key in the future.

The Subscriber’s organization name or other organizational information in the certificate has changed (code #3)

The Subscriber’s organization name or other organizational information in the certificate (e.g. address) has changed. When such organizational information has changed it’s important that the Subscriber verifies how this may affect the content of the certificate.

The certificate has been replaced with a new certificate (code #4)

The Subscriber should choose this option when they request a new certificate to replace their existing certificate. Se also comment above about replacement certificates.

The certificate includes domain names no longer to be used (code #5)

The Subscriber do no longer own all of the domain names in the certificate or when they will no longer be using the certificate because they are discontinuing their website.

Revocation reason options specified by Buypass

Buypass may revoke certificates for several revocation reasons and if any of these are listed in the table above, they must be specified by Buypass at time of revocation.

Read more about revocation reasons in our CP/CPS' at https://www.buypass.com/security/ca-documentation-legal.

The private key has been compromised (code #1)

This option is used when:

  • Buypass obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;

  • Buypass is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;

  • there is clear evidence that the specific method used to generate the private key was flawed;

  • Buypass is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or

Buypass will reject future certificate applications using the same key if they are marked as compromised at Buypass.

The Subscriber’s organization name or other organizational information in the certificate has changed (code #3)

This option is used when there has been changes in the Certificate’s Subject information:

  • Buypass is made aware that there has been changes in the Subject information in the certificate and there is no other reason for revocation

The certificate does not comply with relevant requirements (code #4)

This option is used when:

The certificate includes domain names no longer to be used (code #5)

This option is used when:

  • Buypass is made aware of any circumstance indicating that use of a fully‐qualified domain name or IP address in the certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a domain name registrant’s right to use the domain name, a relevant licensing or services agreement between the domain name registrant and the applicant has terminated, or the domain name registrant has failed to renew the domain name).

The Subscriber has violated obligations in the Subscriber agreement (code #9)

This option is used when:

  • Buypass obtains evidence that the certificate was misused;

  • Buypass is made aware that the certificate subscriber has violated one or more of its material obligations under the subscriber agreement or terms of use;

  • Buypass is made aware that a wildcard certificate has been used to authenticate a fraudulently misleading subordinate fully‐qualified domain name;

  • Buypass is made aware of a material change in the information contained in the certificate;

  • Buypass determines or is made aware that any of the information appearing in the certificate is inaccurate; or

  • Buypass is made aware that the original certificate request was not authorized and that the Subscriber does not retroactively grant authorization.

Buypass may revoke certificates for other reasons (see CP/CPS), but in this case no revocation reason option will be specified.