Confirmed users, Administrators
5,526
edits
CA/EV Processing for CAs: Difference between revisions
Added paragraph about our intent to only recognize the CAB Forum EV policy OID in the future
m (Updated per Bug #1769150 which causes each EV OID in the end-entity cert to be checked until a valid path is found) |
(Added paragraph about our intent to only recognize the CAB Forum EV policy OID in the future) |
||
| Line 19: | Line 19: | ||
=== CA-Specific OIDs === | === CA-Specific OIDs === | ||
Our long-term goal is to have Firefox only recognize the CAB Forum EV policy OID (2.23.140.1.1). So we stopped adding CA-specific EV OIDs to ExtendedValidation.cpp, and are only adding the 2.23.140.1.1 EV OID for new EV-enablement requests. This page still describes Firefox's treatment of CA-specific EV OIDs because we are not currently planning to go back and change it for root certificates that already had a CA-specific EV OID. Our current plan is to let those pre-existing root certificates expire. | |||
It is fine for the CA's certificates to also specify their CA-specific OID(s), but the 2.23.140.1.1 OID will also need to be in them. | |||
Firefox matches the EV OID found in the end-entity certificate with one or more EV OIDs associated with the root in the ExtendedValidation.cpp file. In the process of running the [[SecurityEngineering/Certificate_Verification|path building algorithm]], when a potential root certificate has been identified, the recognized EV policy OID(s) found in the end-entity certificate is compared to the EV policy OID(s) associated with the root. If they match, the candidate is a valid trust anchor, and the end-entity will be considered EV if all other checks pass. In addition, if the CAB Forum EV policy OID is a recognized OID in the certificatePolicies extension of the end-entity certificate, EV status is granted if the root is EV-enabled for any OID. | Firefox matches the EV OID found in the end-entity certificate with one or more EV OIDs associated with the root in the ExtendedValidation.cpp file. In the process of running the [[SecurityEngineering/Certificate_Verification|path building algorithm]], when a potential root certificate has been identified, the recognized EV policy OID(s) found in the end-entity certificate is compared to the EV policy OID(s) associated with the root. If they match, the candidate is a valid trust anchor, and the end-entity will be considered EV if all other checks pass. In addition, if the CAB Forum EV policy OID is a recognized OID in the certificatePolicies extension of the end-entity certificate, EV status is granted if the root is EV-enabled for any OID. | ||