Hi Matthias. That's an interesting idea, but I don't think it's compatible with how the X.509 specification defines that reason code. My understanding is that cACompromise can only be used in a revocation entry for a CA Certificate. Here's the relevant section
from the 2008 edition of X.509:
-
keyCompromise is used in revoking an end-entity certificate; it indicates that it is known or suspected
that the subject's private key, or other aspects of the subject validated in the certificate, have been
compromised;
- cACompromise is used in revoking a CA-certificate; it indicates that it is known or suspected that the
subject's private key, or other aspects of the subject validated in the certificate, have been compromised;
- affiliationChanged indicates that the subject's name or other information in the certificate has been
modified but there is no cause to suspect that the private key has been compromised;
- superseded indicates that the certificate has been superseded but there is no cause to suspect that the
private key has been compromised;
- cessationOfOperation indicates that the certificate is no longer needed for the purpose for which it was
issued but there is no cause to suspect that the private key has been compromised;
- privilegeWithdrawn indicates that a certificate (public-key or attribute certificate) was revoked because
a privilege contained within that certificate has been withdrawn;
- aACompromise indicates that it is known or suspected that aspects of the AA validated in the attribute
certificate, have been compromised.
A certificate may be placed on hold by issuing a CRL entry with a reason code of
certificateHold. The certificate hold
notice may include an optional hold instruction code to convey additional information to certificate users (see 8.5.2.3).
Once a hold has been issued, it may be handled in one of three ways:
a) it may remain on the CRL with no further action, causing users to reject transactions issued during the
hold period; or,
b) it may be replaced by a (final) revocation for the same certificate, in which case the reason shall be one
of the standard reasons for revocation, the revocation date shall be the date the certificate was placed on
hold, and the optional instruction code extension field shall not appear; or,
c) it may be explicitly released and the entry removed from the CRL.
The removeFromCRL reason code is for use with delta-CRLs (see 8.6) only and indicates that an existing CRL entry
should now be removed owing to certificate expiration or hold release. An entry with this reason code shall be used in
delta-CRLs for which the corresponding base CRL or any subsequent (delta or complete for scope) CRL contains an
entry for the same certificate with reason code certificateHold.
This extension is always non-critical.