Confirmed users
377
edits
CA/EV Processing for CAs: Difference between revisions
m
→CA-Specific OIDs: Added link
(→EV TLS Capable: clarification on CA-specific EV OIDs) |
m (→CA-Specific OIDs: Added link) |
||
| Line 20: | Line 20: | ||
=== CA-Specific OIDs === | === CA-Specific OIDs === | ||
Our long-term goal is to have Firefox only recognize the CAB Forum EV policy OID (2.23.140.1.1). So we stopped adding CA-specific EV OIDs to ExtendedValidation.cpp, and are only adding the 2.23.140.1.1 EV OID for new EV-enablement requests. This page still describes Firefox's treatment of CA-specific EV OIDs because we are not currently planning to go back and change it for root certificates that already had a CA-specific EV OID. Our current plan is to let those pre-existing root certificates expire. | Our long-term goal is to have Firefox only recognize the CAB Forum EV policy OID (2.23.140.1.1). So we stopped adding CA-specific EV OIDs to [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp ExtendedValidation.cpp], and are only adding the 2.23.140.1.1 EV OID for new EV-enablement requests. This page still describes Firefox's treatment of CA-specific EV OIDs because we are not currently planning to go back and change it for root certificates that already had a CA-specific EV OID. Our current plan is to let those pre-existing root certificates expire. | ||
It is fine for the CA's certificates to also specify their CA-specific OID(s), but the 2.23.140.1.1 OID will also need to be in them. | It is fine for the CA's certificates to also specify their CA-specific OID(s), but the 2.23.140.1.1 OID will also need to be in them. | ||