CA/EV Processing for CAs: Difference between revisions

CA/EV Processing for CAs (view source)

Revision as of 18:51, 3 October 2019

50 bytes added , 3 October 2019

m

added link

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 13: / Line 13: @@
 * The certificatePolicies extension includes the same “recognized” policy OID as Firefox chose from the end-entity certificate (either a CA-specific OID or the CAB Forum OID)
 === Cross-Certification ===
-EV certificates that chain to multiple roots via cross-certification follow the rules listed above. Special care should be taken in using CA-specific EV identifiers in this situation because it is possible for there to be a mismatch between the policy Firefox chooses from the end-entity certificate and the policy associated with the root chosen by the path building algorithm. Best practice is to rely on the CAB Forum EV policy OID by placing it in the first position of all end-entity EV certificates.
+EV certificates that chain to multiple roots via cross-certification follow the rules listed above. Special care should be taken in using CA-specific EV identifiers in this situation because it is possible for there to be a mismatch between the policy Firefox chooses from the end-entity certificate and the policy associated with the root chosen by the [[SecurityEngineering/Certificate_Verification|path building algorithm]]. Best practice is to rely on the CAB Forum EV policy OID by placing it in the first position of all end-entity EV certificates.
 === Revocation Checking ===
 An additional consideration for receiving the EV UI is that revocation checking must succeed via OCSP (or some future revocation checking mechanism) for the end-entity and intermediate CA certificate(s). If the security.OCSP.enabled preference is set to ‘0’, OCSP checking is not performed and the EV UI will not appear for otherwise valid EV certificates.