Eddy,
Yes, I think we need to include the new EV root in NSS, as well as our
older PCA3 root. Web servers still need to be configured with the
intermediate and cross-signed certs so that older browsers that only
know about the older PCA3 root see the EV cert as chaining up to that
trusted root. FF3, if it has the new root in it, should ignore the
cross-cert and conclude that the intermediate CA chains up to the new EV
root.
-Rick
________________________________
From: Eddy Nigg (StartCom Ltd.) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 07, 2007 1:42 PM
To: Andrews, Rick
Cc: dev-tech-crypto@lists.mozilla.org
Subject: Re: Inclusion of VeriSign EV root in Firefox 3 betas
for testing
Hi Andrews,
Andrews, Rick wrote:
Web servers with a VeriSign EV cert are configured with
the end entity
cert and two intermediate CAs: the EV CA and a
cross-signed cert.
If so, wouldn't it be better to formally include the new (EV)
root in NSS in its own right instead of using the cross signed and
chained to the old root?
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED]
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
