[cabfpub] OIDs for DV and OV

Ben Wilson ben.wilson at digicert.com
Fri Oct 3 17:57:51 UTC 2014

An OID can be used to identify the document itself and others can be cited to within the document as a means of identifying the policies described in the document under which the certificates are being issued.  My understanding is that both can be asserted in the certificates that are being issued-as long as they aren't confusing or contradictory.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Moudrick M. Dadashov
Sent: Friday, October 3, 2014 11:47 AM
To: Mads Egil Henriksveen; Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] OIDs for DV and OV

Hi Mads,

I noticed you use two different terms: CP OID (as a reference to CA document) and xV OID (as a reference to DV, OV or EV type certificate). Did I understand you correctly?


On 10/3/2014 7:06 PM, Mads Egil Henriksveen wrote:
Hi Dean

My understanding is that EVG requires an Issuer specific EV CP OID for EV certificates while BR requires one or more CP OIDs for OV and DV certificates. I don't see any difference between EV and OV/DV with respect to OID requirements. In addition BR defines two CP OIDs for OV and DV respectively while EVG does not define any EV CP OID.

Buypass already use the BR CP OV and DV OIDs in addition to our own specific OV and DV CP OIDs in our certificates. For EV we use our specific EV CP OID only.

We do not see any issues regarding the use of the BR specific OIDs in OV/DV-certificates.


From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: 2. oktober 2014 19:34
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] OIDs for DV and OV

Further to today's discussion on our call, I'd like to get more feedback on a proposal to make a unique standardized OID mandatory for DV and OV certificates in the Baseline Requirements. Currently we have a mandatory OID for EV certificates but optional for OV and DV.  This makes things difficult for at least two groups of constituents:

1.      Relying parties that would like to distinguish between these certificates

2.      Analysts that report on SSL certificate data who have had to issue revised reports because of cert misclassification

My proposal is for CAs to put in OID X if it's a DV certificate and OID Y if it's an OV certificate.

As Rick reminded me on the call, we currently have something like this for EV certificates (except that CAs are free to use the standard OID or define one of their own).

I'd like to hear pros/cons of this. Ryan S indicated that Google would not support such a proposal but we didn't have time to discuss the reasons.

I'm sure there are both technical and policy reasons. Personally I'd like to focus on the latter but remarks on both are welcome. This proposal doesn't require anyone to do anything with this data (i.e relying parties can choose whether or not to utilize it).



Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141003/880b6ab3/attachment-0003.html>

More information about the Public mailing list