Open zzzsz opened 2 weeks ago
The restriction is from X.509 (08/2005), clause 8.5.2.2:
cACompromise is used in revoking a CA-certificate; it indicates that it is known or suspected that the subject's private key, or other aspects of the subject validated in the certificate, have been compromised;
Thus, the cACompromise
reason code is only appropriate for revoking CA certificates.
I have a question. What is the range of pkix in the error message pkix.xxx written in your code? For example pkix.crl_prohibited_reason_code
.
At first I thought the scope of pkix refers to rfc, but now you say that the scope of cACompromise comes from itu's x509, which confuses me.
Also, why not just set the error message of CrlReasonCodeAllowlistValidator
to itu.xxx?
Your understanding of the finding code classifications is correct. This finding code should be prefixed with "itu" instead of "pkix".
I'll mark this as a bug and look into getting this fixed.
Keeping this open so the finding code can be fixed.
Why are there only
keyCompromise
,affiliationChanged
,superseded
,cessationOfOperation
, andprivilegeWithdrawn
reasons for revocation? I did not find such a revocation range restriction in RFC 5280.And why can revocation reason
cACompromise
only exist in CA crl? My point is that if a leaf certificate is revoked because the CA is compromised, then its revocation reason should also be cACompromise.