Harmonize CRL Reason Codes with CA/B Forum Revocation Reasons

[BenWilson-Mozilla]

This issue is in relation to https://github.com/cabforum/servercert/issues/377 and the discussion started here- https://lists.cabforum.org/pipermail/servercert-wg/2022-September/003292.html.

Importantly, one comment to the proposal to adopt the MRSP-based CRL reason codes concerned use of the "superseded" CRLReason -- "what exactly is the rationale for this CRLReason? Is it that these certificates will necessarily be replaced by compliant ones, that "supersede" (i.e. replace) the old ones? What if the CA decides not to replace certificates under these revocation cases?"

Another comment was as follows:

This ballot prohibits other CRLReasons from appearing in CRLs. This is meaningfully different from MRSP, where the new requirements are applicable solely to revocations that occur on or after the effective date. There is no requirement to document reason codes in the Subscriber Agreement, whereas there is in MRSP. Is this change intentional? Regarding 24-hour revocation reason #5: it appears that privilegeWithdrawn is now allowed. According to MRSP, only superseded is appropriate for this case. Regarding 5-day revocation reason #9: this is not a scenario listed in MRSP. In other words, this revocation scenario must be denoted as “unspecified” as the CRLReason under MRSP. Therefore, it is not possible to satisfy both the proposed BR text and MRSP. Regarding 5-day revocation reason #10: this appears to be like scenario #7, but it is different in that revocation may be required even if there’s no violation of the CP/CPS. I don’t think this scenario is enumerated in MRSP, so it is not possible to specify a reason code that satisfies both MRSP and this ballot for this scenario.

We should try and further harmonize the approaches to revocation reasons between the MRSP and Baseline Requirements. One suggested approach was to add language in the MRSP to the following effect: "use these CRLReasons as specified here in the MRSP or as otherwise specified in the Baseline Requirements". Details will have to be worked on.

[BenWilson-Mozilla]

Currently, there are no changes expected for section 6.1.1 of the MRSP by reason of https://github.com/cabforum/servercert/issues/377. This issue is a place-holder in case there are any that ultimately surface from any final ballot that might amend the Baseline Requirements. Work on the draft ballot in the CA/B Forum continues. See https://lists.cabforum.org/pipermail/servercert-wg/2022-September/003313.html. I am still working to clarify the language with a couple of endorsers of the ballot.