Eddy Nigg (StartCom Ltd.) wrote, On 2008-02-10 17:33: > Network Solutions has a server certificate issued by "Network Solutions > EV SSL CA". Ever heard of this CA? Well, it's chained like this: > > "AddTrust External CA Root" from Sweden and belongs to Comodo from the > United Kingdom -> > "UTN-USERFirst-Hardware" from the US -> > "Network Solutions Certificate Authority" from the US -> > "Network Solutions EV SSL CA" (Surprise!) -> > "www.networksolutions.com" > > Now, I have no clue how this is going to work and perhaps Nelson can > give us some more information.
The chain you cited above, for https://www.networksolutions.com/ is a valid SSL server chain, but is not valid for the EV policy OID contained in the server's cert. This is because the UTN-USERFirst-Hardware cert in that chain does not contain any extension that shows that its issuer authorized it to issue certs for that policy OID. If, and as long as, this is the only certificate chain with which this server certificate can be validated, this server will be found to be valid for SSL, but will not be recognized as an EV server. The browser will treat this server as a valid SSL server (locked lock icon), but will not show any of the additional UI displays that accompany an EV certificate. If and when there exists another cert chain that proceeds from that same server cert up to a root CA that is approved to issue certs for the EV policy OID found in that server's cert, then that server cert will be recognized as a valid EV server, and the browser's UI will display accordingly. Note that for some servers' certificates, there may exist multiple simultaneously valid chains that lead from the same server certificate up to different roots. The browser's Certificate Viewer dialog can only show one of those chains, and the one it shows may not be the one that leads to an EV root. The purpose of that viewer, as presently implemented is only to show that there exists a valid chain that confirms that the certificate is a valid SSL certificate. The EV test is done separately and the results may be different. There is not yet a viewer to view the chain that is the result of the EV certificate check. > Perhaps somebody knows to explain how this technically will work and how > the criteria and CAB Forum guidelines are meant to be. Yes, perhaps somebody does. :) /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
