Let's say a MITM decides to register an ACME account and successfully issues a certificate for my domain. What would the appropriate revocation be for that?
I'm unsure whether this counts as keyCompromise, as I'm unsure whether "unauthorized person has had access to the private key of their certificate" means unauthorized to access private key (false in this case), or unauthorized to access certificate for domain (true in this case).
Just to be clear, you're talking about the scenario where an attacker can demonstrate control over the domain (that is, the CA didn't break any rules in validation, and they acted "correctly" when they issued the attacker a certificate), and then the "legitimate" controller over the domain stops the attacker from being able to demonstrate control anymore, and somebody requests the attacker's certificate be revoked? And the keys that the legitimate controller of the domain may have used for certificates were never compromised in the attack?
In that case, my understanding of the documentation is that it would be cessationOfOperation, since the subscriber of the certificate (the attacker) no longer has control over the domain.
Certainly possible that I'm mistaken, though.
Yes. That's correct. Also the attacker's private key(s) are not suspected to be accessible to anybody but the attacker.
Definitely cessationOfOperation. In fact, it doesn't matter what revocation reason you request: if you demonstrate that you have the right to revoke based on controlling the names in the certificate (as opposed to being the original subscriber, or controlling the cert's private key) we will automatically override the reason code to cessationOfOperation.