CA/EV Processing for CAs: Difference between revisions

CA/EV Processing for CAs (view source)

1 byte removed , 6 November 2020

m

moved the recursive bullet point up to the top, for clarity

Confirmed users, Administrators

5,526

edits

@@ Line 1: / Line 1: @@
 = EV TLS Capable =
 Mozilla considers an intermediate certificate to be capable of issuing EV TLS certificates when all of the following are true. The intermediate certificate:
+* is signed by an EV TLS Capable certificate (when not directly signed by the root certificate)
 * either directly or transitively chains up to a root certificate included in Mozilla's root store with the TLS (Websites) trust bit turned on, and EV enabled
 * is not revoked and not expired
 * does not have an Extended Key Usage (EKU) extension or does have an EKU extension containing KeyPurposeIds: anyExtendedKeyUsage or id-kp-serverAuth
 * has Policy Identifiers containing one or more of: 2.23.140.1.1 (CABF EV OID), 2.5.29.32.0  (anyPolicy OID), the CA's EV OIDs used by Mozilla in [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp ExtendedValidation.cpp]
-* is signed by an EV TLS Capable certificate (when not directly signed by the root certificate)
 = Firefox EV Processing Logic =