Judging from the earlier discussion that took place in September 2020, I
understand that some CAs have an EV-enabled hierarchy (meaning that the
Root CA is in scope of the EV Guidelines and is included in an audit
with "EV scope"), has issued some Intermediate CAs that issue EV
Certificates and are included in the audit with "EV scope", and some
Intermediate CAs that have never issued EV Certificates, nor are they
intended to issue EV Certificates and were not listed in the "EV scope"
of the audit.
I realize that this policy change, will require Intermediate CAs that
have never issued nor intend to issue EV Certificates, to be included in
an EV scope audit with the sole purpose of asserting that no TLS
Certificates have been issued in scope of the EV Guidelines, which
translates into making sure that no end-entity certificate has been
issued asserting the EV policy OID in the certificatePolicies extension.
Is that a fair statement?
Is there going to be an effective date after which Intermediate CA
Certificates which were not intended to issue EV Certificates, will be
required to have an EV audit?
Assuming my previous statement is fair, would it suffice for an auditor
to examine the corpus of non-expired/non-revoked Certificates off of
these "non-EV" Issuing CAs to ensure that no end-entity certificate has
been issued asserting the EV policy OID according to the CA's CP/CPS?
Finally, I would like to highlight that policy OID chaining is not
currently supported in the webPKI by Browsers, so even if a CA adds a
particular non-EV policyOID in an Intermediate CA Certificate, this
SubCA would still be technically capable of issuing an end-entity
certificate asserting an EV policy OID, and that certificate would
probably get EV treatment from existing browsers. Is this correct?
Thank you,
Dimitris.