[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)

Moudrick M. Dadashov md at ssc.lt
Fri Nov 22 16:47:02 UTC 2013

On 11/22/2013 5:43 PM, Erwann Abalea wrote:
> Le 22/11/2013 02:11, Moudrick M. Dadashov a écrit :
>> Rick, I see here a problem that not all roots have policy OIDs. It's been common understanding that roots serve more like TA containers rather than certificates. Looks like this has changed, right?
> EV OIDs are attached to a TA, as metadata.
> It fits the X.509/RFC5280 validation algorithm; the relying party just
> has to set the initial-policy-set (X.509) or user-initial-policy-set
> (RFC5280) with the OIDs declared as EV, run the validation algorithm,
> and check the user-constrained-policy-set (X.509) or valid_policy_tree
> (RFC5280) size. If those final sets are not empty, then the certificate
> is EV.
ok, thanks for clarification. It seems the the referenced validation 
algorithm leaves quite a lot of flexibility how implementers interpret 
the top of the chain. I'm still curious will the "final sets" for the 
following chain:

Root (no policy OID OR any_policy)
Issuing (CA supplied  EV policy OID)
EV SSL ([CA supplied  EV policy OID] OR [CAB Forum EV SSL OID] AND/OR 

be empty?


> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131122/043ec7af/attachment-0001.p7s>

More information about the Public mailing list