info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Certificate OID policy and new intermediate CA mode
282 views
Skip to first unread message
cfcazha...@gmail.com
Jul 20, 2015, 3:39:37 AM7/20/15
to mozilla-dev-s...@lists.mozilla.org
These are samples of the end-entity certificates OIDs
OV 2.23.140.1.2.2
EV 2.23.140.1.1
EV CodeSign 2.23.140.1.3
Non-EV Code Signing 2.23.140.1.4
Microsoft mentioned:
Microsoft does not require CAs to separate out intermediates by OID type; instead, the intent of this requirement is to simply require CAs to standardize OIDs on the end-entity certificate.
so, in this case, is it possible that one EV root Certificate have one intermediate Certificate.
And this root system have 4 audit:
Webtrust 2.0
BR
EV
EV codesign
The intermediates Certificate can issue:
1, OV SSL Certificate
2, OV CodeSign Certificate
3, EV SSL Certificate
4, EV CodeSign Certificate
if this is allowed, will Mozilla, Google and Apple accept this kind of root certificate inclusion request?
if not, is there any policy against it?
(Microsoft use to forbid this kind of root/intermediates Certificate , but now the restriction is removed)
if not, is it possible to make 1 intermediate Certificate for EV, 1 for OV?
OV 2.23.140.1.2.2
EV 2.23.140.1.1
EV CodeSign 2.23.140.1.3
Non-EV Code Signing 2.23.140.1.4
Microsoft mentioned:
Microsoft does not require CAs to separate out intermediates by OID type; instead, the intent of this requirement is to simply require CAs to standardize OIDs on the end-entity certificate.
so, in this case, is it possible that one EV root Certificate have one intermediate Certificate.
And this root system have 4 audit:
Webtrust 2.0
BR
EV
EV codesign
The intermediates Certificate can issue:
1, OV SSL Certificate
2, OV CodeSign Certificate
3, EV SSL Certificate
4, EV CodeSign Certificate
if this is allowed, will Mozilla, Google and Apple accept this kind of root certificate inclusion request?
if not, is there any policy against it?
(Microsoft use to forbid this kind of root/intermediates Certificate , but now the restriction is removed)
if not, is it possible to make 1 intermediate Certificate for EV, 1 for OV?
0 new messages