| 1. Revocation for a Security Reason: |
| a. |
VeriSign will never remove a certificate from a CRL if VeriSign
has reason to believe that it was revoked for (i) reasons of a private key
compromise or (ii) because the Certificate was issued in a manner not materially
in accordance with the procedures required by the VeriSign CPS (a "security
reason"). Examples of revocation reasons that VeriSign does not believe
constitute security reasons include "Lost or forgotten password"
and "Replacement". |
| b. |
Commencing on 2/11/04, only Code Signing certificates that
are revoked for a Security Reason will be published to a CRL. VeriSign has
adopted this policy to ensure that only certificates revoked for security
reasons (as opposed to standard certificate lifecycle reasons) are included
in the CRL. |
2.
Revocation for a Non-Security Reason: |
| a. |
If VeriSign has a clear and unambiguous revocation reason
on file, revoked certificates will be removed from the CRL after they have
expired unless VeriSign has reason to believe that they were revoked for
a Security Reason. Examples of revocation reasons that VeriSign does not
believe constitute security reasons include "Lost or forgotten password"
and "Replacement". |
| b. |
If VeriSign does not have a clear and unambiguous revocation
reason on file, a revoked certificate may be removed from the CRL ONLY after
(i) the certificate has been revoked for more than 2 years and (ii) the
notification procedures in 2(c) are followed. |
| c. |
As an added precaution, prior to removing any
revoked certificate from the CRL: |
| |
i. |
VeriSign will notify in advance the Technical Contacts listed
in the revoked certificate request of this CRL procedure and the pending
removal of revoked certificate from the CRL.
|
| |
ii. |
If the Technical Contact objects to the pending removal of revoked certificate
from the CRL, the revoked certificate will not be removed from the CRL.
|
