[cabfpub] OIDs for DV and OV

Bruce Morton bruce.morton at entrust.com
Thu Oct 2 18:20:33 UTC 2014

Hi Dean,

Entrust already uses the BR policy OID for OV certificates as I am sure other CAs do. I do not see the downside of using this policy OID.

It would be good to hear why some CAs do not use the reserved policy OIDs.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Thursday, October 02, 2014 1:34 PM
To: public at cabforum.org
Subject: [cabfpub] OIDs for DV and OV

Further to today's discussion on our call, I'd like to get more feedback on a proposal to make a unique standardized OID mandatory for DV and OV certificates in the Baseline Requirements. Currently we have a mandatory OID for EV certificates but optional for OV and DV.  This makes things difficult for at least two groups of constituents:

1.       Relying parties that would like to distinguish between these certificates

2.       Analysts that report on SSL certificate data who have had to issue revised reports because of cert misclassification

My proposal is for CAs to put in OID X if it's a DV certificate and OID Y if it's an OV certificate.

As Rick reminded me on the call, we currently have something like this for EV certificates (except that CAs are free to use the standard OID or define one of their own).

I'd like to hear pros/cons of this. Ryan S indicated that Google would not support such a proposal but we didn't have time to discuss the reasons.

I'm sure there are both technical and policy reasons. Personally I'd like to focus on the latter but remarks on both are welcome. This proposal doesn't require anyone to do anything with this data (i.e relying parties can choose whether or not to utilize it).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141002/754592a8/attachment-0003.html>

More information about the Public mailing list