Confirmed users, Administrators
5,526
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
m
→Future Considerations
m (→What To Report) |
|||
| Line 76: | Line 76: | ||
== Future Considerations == | == Future Considerations == | ||
While testing mozilla::pkix, we noticed the following things that we would like to consider changing. | While testing mozilla::pkix, we noticed the following things that we would like to consider changing. | ||
# EV treatment should not be given when the end-entity cert is signed directly by the root cert. | |||
#* Related Bugs: {{Bug|991921}} | |||
# Consider only giving EV treatment when the intermediate and end-entity certs in the chain have the specific EV policy OID that we are expecting; in other words, don’t give EV treatment when the intermediate certificate has the anyPolicy OID. To make this change, would need to change the CAB Forum’s EV Guidelines to also require the EV policy OID in intermediate certs (section 9.3.4 says the subordinate CA certificate may contain anyPolicy OID 2.5.29.32.0). | # Consider only giving EV treatment when the intermediate and end-entity certs in the chain have the specific EV policy OID that we are expecting; in other words, don’t give EV treatment when the intermediate certificate has the anyPolicy OID. To make this change, would need to change the CAB Forum’s EV Guidelines to also require the EV policy OID in intermediate certs (section 9.3.4 says the subordinate CA certificate may contain anyPolicy OID 2.5.29.32.0). | ||
#* Related Bugs: {{Bug|986156}} | #* Related Bugs: {{Bug|986156}} | ||