[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)
Moudrick M. Dadashov
md at ssc.lt
Fri Nov 22 16:47:02 UTC 2013
On 11/22/2013 5:43 PM, Erwann Abalea wrote:
> Le 22/11/2013 02:11, Moudrick M. Dadashov a écrit :
>> Rick, I see here a problem that not all roots have policy OIDs. It's been common understanding that roots serve more like TA containers rather than certificates. Looks like this has changed, right?
> EV OIDs are attached to a TA, as metadata.
> It fits the X.509/RFC5280 validation algorithm; the relying party just
> has to set the initial-policy-set (X.509) or user-initial-policy-set
> (RFC5280) with the OIDs declared as EV, run the validation algorithm,
> and check the user-constrained-policy-set (X.509) or valid_policy_tree
> (RFC5280) size. If those final sets are not empty, then the certificate
> is EV.
ok, thanks for clarification. It seems the the referenced validation
algorithm leaves quite a lot of flexibility how implementers interpret
the top of the chain. I'm still curious will the "final sets" for the
Root (no policy OID OR any_policy)
Issuing (CA supplied EV policy OID)
EV SSL ([CA supplied EV policy OID] OR [CAB Forum EV SSL OID] AND/OR
[ETSI EVCP OR ETSI EVCP+]
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
More information about the Public