Hi Ryan,
Thank you for your feedback.
How about ‘Pertaining to Certificates Issued by this CA that Cannot be used for TLS Server Authentication’?
If needed, we can add text to the top of that section explaining more. Just let me know what you think is needed to fully clarify.
You are correct... The non-TLS limitation is currently intended to be the first phase of this requirement. While root store operators can collect TLS CRL information from CT, it will be much better to have CAs provide it directly. So, as browsers improve their revocation checking, I expect our requirements in this area to also change.
I have a few questions for CAs about that...
1) Is it reasonable to have CAs provide full CRLs (or JSON arrays) for TLS-Server-Auth certificates that is separate from the full CRLs for everything else?
i.e. via different fields in the CCADB?
2) I would like to have non-overidable errors for TLS-Server-Auth certificates that have been revoked for the keyCompromise, cACompromise, and affiliationChanged CRL revocation reason codes. Currently CRL reason codes for TLS end-entity certs "SHOULD" be
provided, but I would like the reason codes to be required under the
applicable circumstances.
Do CAs currently use those reason codes when applicable?
Do you think the BRs need to further specify when those reason codes must and must not be used?
Thanks,
Kathleen