From e520892519e577cd0db0ee670bdad21bca3aa222 Mon Sep 17 00:00:00 2001
From: m0nst3r <38524240+mr-m0nst3r@users.noreply.github.com>
Date: Wed, 10 Dec 2025 17:57:30 +0800
Subject: [PATCH] Clarify CRLReason #9 (privilegeWithdrawn) description in BR
 7.2.2

## Summary

This PR updates the description of CRLReason #9 (privilegeWithdrawn) in Section 7.2.2 to better align with the actual usage scenarios enumerated in Section 4.9.1.1.

## Problem

The current description in BR 7.2.2 states that privilegeWithdrawn indicates "a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber provided misleading information in their Certificate Request or has not upheld their material obligations under the Subscriber Agreement or Terms of Use."

However, Section 4.9.1.1 provides several examples where CRLReason #9 is used that are not fully covered by this description:

1. The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization (CRLReason #9, privilegeWithdrawn)
2. The CA obtains evidence that the Certificate was misused (CRLReason #9, privilegeWithdrawn)
3. The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use (CRLReason #9, privilegeWithdrawn)
4. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name (CRLReason #9, privilegeWithdrawn)
5. The CA is made aware of a material change in the information contained in the Certificate (CRLReason #9, privilegeWithdrawn)
6. The CA determines or is made aware that any of the information appearing in the Certificate is inaccurate (CRLReason #9, privilegeWithdrawn)

The current description focuses primarily on misleading information in the certificate request and violations of material obligations, but does not explicitly cover:
- Authorization issues (invalid or withdrawn authorization)
- Certificate misuse scenarios
- Information accuracy issues (inaccurate or materially changed information)

## Solution

Updated the description to comprehensively cover all scenarios where CRLReason #9 is used:

**New description:**
> Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber's authorization for the certificate was invalid or withdrawn, the Certificate was misused, the Certificate Subscriber violated material obligations under the Subscriber Agreement or Terms of Use, or any information contained in the Certificate is inaccurate or has materially changed.

## Changes

- **Section 7.2.2**: Updated the Description column for privilegeWithdrawn (reasonCode value 9) in the CRLReason table

## Impact

This change improves clarity and consistency between the definition in Section 7.2.2 and the practical usage examples in Section 4.9.1.1, ensuring that CAs have clear guidance on when to use CRLReason #9 for certificate revocation.
---
 docs/BR.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/BR.md b/docs/BR.md
index 3edd10e4..a09d8d29 100644
--- a/docs/BR.md
+++ b/docs/BR.md
@@ -3657,7 +3657,7 @@ Table: CRLReasons
 | superseded                | 4    | Indicates that the Certificate is being replaced because: the Subscriber has requested a new Certificate, the CA has reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the Certificate should not be relied upon, or the CA has revoked the Certificate for compliance reasons such as the Certificate does not comply with these Baseline Requirements or the CA's CP or CPS. |
 | cessationOfOperation      | 5    | Indicates that the website with the Certificate is shut down prior to the expiration of the Certificate, or if the Subscriber no longer owns or controls the Domain Name in the Certificate prior to the expiration of the Certificate.
 | certificateHold           | 6    | MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a `notBefore` on-or-after 2020-09-30.
-| privilegeWithdrawn        | 9    | Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber provided misleading information in their Certificate Request or has not upheld their material obligations under the Subscriber Agreement or Terms of Use. |
+| privilegeWithdrawn        | 9    | Indicates that there has been a subscriber-side infraction that has not resulted in keyCompromise, such as the Certificate Subscriber's authorization for the certificate was invalid or withdrawn, the Certificate was misused, the Certificate Subscriber violated material obligations under the Subscriber Agreement or Terms of Use, or any information contained in the Certificate is inaccurate or has materially changed. |
 
 The Subscriber Agreement, or an online resource referenced therein, MUST inform Subscribers about the revocation reason options listed above and provide explanation about when to choose each option. Tools that the CA provides to the Subscriber MUST allow for these options to be easily specified when the Subscriber requests revocation of their Certificate, with the default value being that no revocation reason is provided (i.e. the default corresponds to the CRLReason "unspecified (0)" which results in no reasonCode extension being provided in the CRL).