Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
EV Policy OIDs (was Re: Identrust Commercial Root CA 1 EV Request)
290 views
Skip to first unread message
Nick Lamb
Sep 20, 2018, 5:13:33 AM9/20/18
to dev-secur...@lists.mozilla.org
On Tue, 18 Sep 2018 17:53:34 -0700
Wayne Thayer via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:
> ** EV Policy OID: 2.23.140.1.1
This reminds me of a question I keep meaning to ask. I know Microsoft
has been trying to get CAs to use 2.23.140.1.1 for EV and knock it off
with the arbitrary policy OIDs, does Mozilla have any policy on that?
Wayne Thayer via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:
> ** EV Policy OID: 2.23.140.1.1
This reminds me of a question I keep meaning to ask. I know Microsoft
has been trying to get CAs to use 2.23.140.1.1 for EV and knock it off
with the arbitrary policy OIDs, does Mozilla have any policy on that?
Wayne Thayer
Sep 20, 2018, 4:55:23 PM9/20/18
to Nick Lamb, MDSP
Hi Nick,
Good question. Mozilla is currently strongly encouraging CAs to use the CAB
Forum EV OID, but not requiring it. I would be interested to hear arguments
for or against requiring the use of the CAB Forum EV OID in future Mozilla
root store updates. Requiring this might eventually solve some of the
problems we're seeing when roots are acquired or cross-signed [1]. To be
clear, at this time I'm only thinking about new inclusions or EV
enablement, not changing OIDs for existing EV capable roots.
- Wayne
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1486838
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Good question. Mozilla is currently strongly encouraging CAs to use the CAB
Forum EV OID, but not requiring it. I would be interested to hear arguments
for or against requiring the use of the CAB Forum EV OID in future Mozilla
root store updates. Requiring this might eventually solve some of the
problems we're seeing when roots are acquired or cross-signed [1]. To be
clear, at this time I'm only thinking about new inclusions or EV
enablement, not changing OIDs for existing EV capable roots.
- Wayne
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1486838
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Wayne Thayer
Nov 13, 2018, 4:29:25 PM11/13/18
to MDSP
I've added a page to our wiki that describes how Firefox determines if a
particular website received the EV UI:
https://wiki.mozilla.org/CA/EV_Processing_for_CAs
I mentioned this at the last CA/Browser Forum meeting and I hope it is
useful to CAs - especially those who are dealing with cross-signing and
legacy hierarchies.
Since there were no comments about requiring the use of the CA/Browser
Forum EV OID, we've left it as 'strongly encouraged', but I added it to our
issues list for the Root Store Policy:
https://github.com/mozilla/pkipolicy/issues/160
- Wayne
particular website received the EV UI:
https://wiki.mozilla.org/CA/EV_Processing_for_CAs
I mentioned this at the last CA/Browser Forum meeting and I hope it is
useful to CAs - especially those who are dealing with cross-signing and
legacy hierarchies.
Since there were no comments about requiring the use of the CA/Browser
Forum EV OID, we've left it as 'strongly encouraged', but I added it to our
issues list for the Root Store Policy:
https://github.com/mozilla/pkipolicy/issues/160
- Wayne
0 new messages