[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)
sigbjorn at opera.com
Mon Nov 18 17:57:55 UTC 2013
On 18-Nov-13 13:53, Sigbjørn Vik wrote:
> On 16-Nov-13 03:03, Rick Andrews wrote:
>> Section 12, Policy Identifier: I changed both to MUST: "The certificate verification software must verify that the EV certificate contains a value in its certificate policies extension that matches the distinct certificate policy identifier associated with the issuing CSP root certificate. The user agent must grant the EV treatment only to certificates that contain the appropriate policy identifier." If there's a browser that shows the EV treatment even for certs whose policy OID doesn't match the root's EV OID, I think we'd all like to know about it.
> This gets complicated with a must. There is no technical reason for
> these OIDs, a CA might just as well just have an EV root, and
> categorically state that anything chaining to it is EV. This might be
> sufficient in a lot of cases, so I'd recommend a should here. Also note
> that an EV root is not required to be issued by a public CA, it could
> also be a home grown intranet root, automatically installed by sysadmin.
I was told that my intention didn't shine through here :) I am not
opposed to a "must" (in any of the issues), it is just that using a
"must" requires significant more work than a "should", including
checking if there are any existing use cases which would be invalidated.
While a stricter spec is better, it is also harder to get approved, and
takes more time to get right, and from my understanding that this spec
is already controversial and overdue, this might not be the most
important point to work on. If you know that nobody would oppose such a
"must" (Opera won't), then feel free to include it. Another possibility
is to explicitly bring up such changes later, after the main body of the
spec has been agreed upon.
More information about the Public