[cabfpub] OIDs for DV and OV

Moudrick M. Dadashov md at ssc.lt
Fri Oct 3 17:46:38 UTC 2014

Hi Mads,

I noticed you use two different terms: CP OID (as a reference to CA 
document) and xV OID (as a reference to DV, OV or EV type certificate). 
Did I understand you correctly?


On 10/3/2014 7:06 PM, Mads Egil Henriksveen wrote:
> Hi Dean
> My understanding is that EVG requires an Issuer specific EV CP OID for 
> EV certificates while BR requires one or more CP OIDs for OV and DV 
> certificates. I don't see any difference between EV and OV/DV with 
> respect to OID requirements. In addition BR defines two CP OIDs for OV 
> and DV respectively while EVG does not define any EV CP OID.
> Buypass already use the BR CP OV and DV OIDs in addition to our own 
> specific OV and DV CP OIDs in our certificates. For EV we use our 
> specific EV CP OID only.
> We do not see any issues regarding the use of the BR specific OIDs in 
> OV/DV-certificates.
> Regards
> Mads
> *From:*public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org> 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Dean Coclin
> *Sent:* 2. oktober 2014 19:34
> *To:* public at cabforum.org <mailto:public at cabforum.org>
> *Subject:* [cabfpub] OIDs for DV and OV
> Further to today's discussion on our call, I'd like to get more 
> feedback on a proposal to make a unique standardized OID mandatory for 
> DV and OV certificates in the Baseline Requirements. Currently we have 
> a mandatory OID for EV certificates but optional for OV and DV.  This 
> makes things difficult for at least two groups of constituents:
> 1.Relying parties that would like to distinguish between these 
> certificates
> 2.Analysts that report on SSL certificate data who have had to issue 
> revised reports because of cert misclassification
> My proposal is for CAs to put in OID X if it's a DV certificate and 
> OID Y if it's an OV certificate.
> As Rick reminded me on the call, we currently have something like this 
> for EV certificates (except that CAs are free to use the standard OID 
> or define one of their own).
> I'd like to hear pros/cons of this. Ryan S indicated that Google would 
> not support such a proposal but we didn't have time to discuss the 
> reasons.
> I'm sure there are both technical and policy reasons. Personally I'd 
> like to focus on the latter but remarks on both are welcome. This 
> proposal doesn't require anyone to do anything with this data (i.e 
> relying parties can choose whether or not to utilize it).
> Thanks,
> Dean
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141003/40f442b7/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3653 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141003/40f442b7/attachment-0001.p7s>

More information about the Public mailing list