[cabfpub] OIDs for DV and OV

Dean Coclin Dean_Coclin at symantec.com
Thu Oct 2 10:33:55 MST 2014


Further to today's discussion on our call, I'd like to get more feedback on
a proposal to make a unique standardized OID mandatory for DV and OV
certificates in the Baseline Requirements. Currently we have a mandatory OID
for EV certificates but optional for OV and DV.  This makes things difficult
for at least two groups of constituents:

 

1.       Relying parties that would like to distinguish between these
certificates

2.       Analysts that report on SSL certificate data who have had to issue
revised reports because of cert misclassification

 

My proposal is for CAs to put in OID X if it's a DV certificate and OID Y if
it's an OV certificate.

 

As Rick reminded me on the call, we currently have something like this for
EV certificates (except that CAs are free to use the standard OID or define
one of their own).

 

I'd like to hear pros/cons of this. Ryan S indicated that Google would not
support such a proposal but we didn't have time to discuss the reasons.

 

I'm sure there are both technical and policy reasons. Personally I'd like to
focus on the latter but remarks on both are welcome. This proposal doesn't
require anyone to do anything with this data (i.e relying parties can choose
whether or not to utilize it).


Thanks,
Dean

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141002/4e46dd6e/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141002/4e46dd6e/attachment.bin 


More information about the Public mailing list