Eddy Nigg (StartCom Ltd.) wrote: > Thanks for this information. However from our (Mozilla) point of view, > the root can sign X CA certificates able to sign EV certificates > (directly and indirectly). The OID requirement is just cosmetically in > respect of the capabilities once a root is marked as EV, do I understand > that correct?
I'm not sure what you mean by "cosmetically", but you are correct that once we approve a root for EV then the root can create EV-capable subordinate CAs at will, and we don't currently have the fine-grained control in NSS that would allow overriding that if needed or wanted (e.g., if we want to deny one particular subordinate the ability to issue EV certs). (Not to sound like a broken record on this topic, but if people did think that such fine-grained control would be useful, it could go onto the list of possible development projects for the Mozilla Foundation to fund.) Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
