[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)
Erwann Abalea
erwann.abalea at keynectis.com
Fri Nov 22 08:43:10 MST 2013
Le 22/11/2013 02:11, Moudrick M. Dadashov a écrit :
> Rick, I see here a problem that not all roots have policy OIDs. It's been common understanding that roots serve more like TA containers rather than certificates. Looks like this has changed, right?
EV OIDs are attached to a TA, as metadata.
It fits the X.509/RFC5280 validation algorithm; the relying party just
has to set the initial-policy-set (X.509) or user-initial-policy-set
(RFC5280) with the OIDs declared as EV, run the validation algorithm,
and check the user-constrained-policy-set (X.509) or valid_policy_tree
(RFC5280) size. If those final sets are not empty, then the certificate
is EV.
More information about the Public
mailing list