Changes

[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] and the [https://cabforum.org/baseline-requirements/ CA/Browser Forum's] Baseline Requirements ] list some of the reasons why a certificate should be revoked. For the common revocations, CRL and OCSP revocation checking are sufficient. However, in extenuating circumstances, such as those listed above, Mozilla may take additional action to protect users by actively distrusting a certificate.

#* If it is determined that a certificate needs to be actively distrusted in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS], then the following will may also be done.#** Update [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS ] by adding a new entry to the built-in root cert list, to take away trust instead of giving trust. This is done with a separate "distrust" flag, and is called '''Active Distrust'''. Active Distrust can be done for any root, intermediate, or leaf certificate. Active Distrust does not require the entire certificate, because it may be done with a combination of the certificate Serial Number and Issuer. Note: The built-in cert list has two types of entries; cert entries and trust entries. A (dis)trust entry can be added without adding a corresponding cert entry.