[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)

Erwann Abalea erwann.abalea at keynectis.com
Fri Nov 22 15:43:10 UTC 2013


Le 22/11/2013 02:11, Moudrick M. Dadashov a écrit :
> Rick, I see here a problem that not all roots have policy OIDs. It's been common understanding that roots serve more like TA containers rather than certificates. Looks like this has changed, right?

EV OIDs are attached to a TA, as metadata.

It fits the X.509/RFC5280 validation algorithm; the relying party just 
has to set the initial-policy-set (X.509) or user-initial-policy-set 
(RFC5280) with the OIDs declared as EV, run the validation algorithm, 
and check the user-constrained-policy-set (X.509) or valid_policy_tree 
(RFC5280) size. If those final sets are not empty, then the certificate 
is EV.



More information about the Public mailing list