[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)
Moudrick M. Dadashov
md at ssc.lt
Fri Nov 22 16:47:02 UTC 2013
On 11/22/2013 5:43 PM, Erwann Abalea wrote:
> Le 22/11/2013 02:11, Moudrick M. Dadashov a écrit :
>> Rick, I see here a problem that not all roots have policy OIDs. It's been common understanding that roots serve more like TA containers rather than certificates. Looks like this has changed, right?
> EV OIDs are attached to a TA, as metadata.
>
> It fits the X.509/RFC5280 validation algorithm; the relying party just
> has to set the initial-policy-set (X.509) or user-initial-policy-set
> (RFC5280) with the OIDs declared as EV, run the validation algorithm,
> and check the user-constrained-policy-set (X.509) or valid_policy_tree
> (RFC5280) size. If those final sets are not empty, then the certificate
> is EV.
ok, thanks for clarification. It seems the the referenced validation
algorithm leaves quite a lot of flexibility how implementers interpret
the top of the chain. I'm still curious will the "final sets" for the
following chain:
Root (no policy OID OR any_policy)
I
V
Issuing (CA supplied EV policy OID)
I
V
EV SSL ([CA supplied EV policy OID] OR [CAB Forum EV SSL OID] AND/OR
[ETSI EVCP OR ETSI EVCP+]
be empty?
Thanks,
M.D.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131122/043ec7af/attachment-0001.p7s>
More information about the Public
mailing list