Frank Hecker wrote: > Frank Hecker wrote: >> I've filed a bug against myself (399214) to update the current Mozilla >> CA certificate policy to address the issue of "extended validation" >> certificates. > > After thinking about it, I think it may be possible to do this just by > adding a final paragraph to section 6 of the current policy: > > In addition, if a CA wishes its certificate to be marked to note that > Extended Validation certificates may be issued under the associated CA > hierarchy then we require that the CA comply with the "Guidelines for > the Issuance and Management of Extended Validation Certificates, > Version 1.0" (as modified by the erratum published by the CAB Forum), > and have its compliance attested to in accordance with the > requirements of Section J of that document. > > I've attached a proposed patch to this effect to bug 399214. > > Your comments are welcome.
I think that's fine in terms of stating the qualifications. However, I think there are also procedural questions/issues to be addressed. During his term as administrator of the Root CA cert policy, Gerv created a questionnaire that he routinely asked CAs to answer in their applications. I think it would be good to publish that along with the formal policy. To handle EV CAs, that questionnaire needs to be extended slightly. It needs to ask, for each root cert being put forward, whether that cert will be a root for EV certs, and if so, what is the EV policy OID that will be used in all EV certs that chain up to that root? -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
