SecurityEngineering/mozpkix-testing: Difference between revisions

m
Line 75: Line 75:


== Future Considerations ==
== Future Considerations ==
While testing mozilla::pkix, we noticed the following things that we would like to consider changing.
While testing mozilla::pkix, we noticed the following things that we would like to consider.
# EV treatment should not be given when the end-entity cert is signed directly by the root cert.
# EV treatment should not be given when the end-entity cert is signed directly by the root cert.
#* Related Bugs: {{Bug|991921}}
#* Related Bugs: {{Bug|991921}}
# Consider only giving EV treatment when the intermediate and end-entity certs in the chain have the specific EV policy OID that we are expecting; in other words, don’t give EV treatment when the intermediate certificate has the anyPolicy OID. To make this change, would need to change the CAB Forum’s EV Guidelines to also require the EV policy OID in intermediate certs (section 9.3.4 says the subordinate CA certificate may contain anyPolicy OID 2.5.29.32.0).
# Consider only giving EV treatment when the intermediate and end-entity certs in the chain have the specific EV policy OID that we are expecting; in other words, don’t give EV treatment when the intermediate certificate has the anyPolicy OID. To make this change, would need to change the CAB Forum’s EV Guidelines to also require the EV policy OID in intermediate certs (section 9.3.4 says the subordinate CA certificate may contain anyPolicy OID 2.5.29.32.0).
#* Related Bugs: {{Bug|986156}}
#* Related Bugs: {{Bug|986156}}
Confirmed users, Administrators
5,526

edits