Confirmed users, Administrators
5,526
edits
CA/EV Processing for CAs: Difference between revisions
m
added link
(Initial page copy) |
m (added link) |
||
| Line 5: | Line 5: | ||
Firefox is sensitive to the position of OIDs in the certificatePolicies extension of the end-entity certificate. Firefox “recognizes” the set of all EV policy OIDs associated with all roots from all CAs in the NSS root store, plus the CAB Forum EV OID (2.23.140.1.1). Firefox only processes the first recognized EV policy OID found in the certificatePolicies extension. Later OIDs, even if recognized by Firefox, are ignored. | Firefox is sensitive to the position of OIDs in the certificatePolicies extension of the end-entity certificate. Firefox “recognizes” the set of all EV policy OIDs associated with all roots from all CAs in the NSS root store, plus the CAB Forum EV OID (2.23.140.1.1). Firefox only processes the first recognized EV policy OID found in the certificatePolicies extension. Later OIDs, even if recognized by Firefox, are ignored. | ||
=== CA-Specific OIDs === | === CA-Specific OIDs === | ||
Firefox matches the EV OID found in the end-entity certificate with one or more EV OIDs associated with the root in the ExtendedValidation.cpp file. Once the path building algorithm has found the chain-of-trust and identified the root CA certificate, the first recognized EV policy OID found in the end-entity certificate is compared to the EV policy OID(s) associated with the root. If they match, the certificate is granted EV status. In addition, if the CAB Forum EV policy OID is the first recognized OID in the certificatePolicies extension of the end-entity certificate, EV status is granted if the root is EV-enabled for any OID. | Firefox matches the EV OID found in the end-entity certificate with one or more EV OIDs associated with the root in the ExtendedValidation.cpp file. Once the [[SecurityEngineering/Certificate_Verification|path building algorithm]] has found the chain-of-trust and identified the root CA certificate, the first recognized EV policy OID found in the end-entity certificate is compared to the EV policy OID(s) associated with the root. If they match, the certificate is granted EV status. In addition, if the CAB Forum EV policy OID is the first recognized OID in the certificatePolicies extension of the end-entity certificate, EV status is granted if the root is EV-enabled for any OID. | ||
=== Policy Constraints === | === Policy Constraints === | ||
Any Intermediate certificates in the chain must assert a policy that includes the first recognized EV policy OID found in the end-entity certificate. This means that one of the following must be true for each intermediate CA certificate in the chain: | Any Intermediate certificates in the chain must assert a policy that includes the first recognized EV policy OID found in the end-entity certificate. This means that one of the following must be true for each intermediate CA certificate in the chain: | ||