Nelson B Bolyard wrote: > Frank Hecker wrote, On 2008-03-18 05:17: > >> Right now we don't have any technical mechanism to accept only EV >> certificates issued within a CA hierarchy, but not EV certs from within >> that same hierarchy. <snip> > I suspect you meant "... to accept EV certs, but not NON-EV certs, from > the same CA hierarchy." Is that what you meant?
Yes, sorry about that. > NSS offers methods to ask "Is this a valid cert (regardless of EV)" and > "Is this a valid EV cert"? With those two methods, it is possible for a > user of NSS (such as PSM) to achieve the result that (I *think*) you > described (EV or non-EV certs accepted exclusively, subordinate to some > root) But I do not understand under what circumstances such a thing would > be desired. I'll let Eddy speak for himself, but I believe he's thinking of a scenario where we (Mozilla) or the user (a power user, to be sure) would decide that we trust CA Foo to issue EV certs, but we or the user think they have unacceptable practices on non-EV certs (like issuing wildcard DV certs, for example, which Eddy objects to). Then Eddy's idea is that we (or the user) would configure Firefox et.al. to accept EV certs from the hierarchy rooted at CA Foo's root, but to reject any other (i.e., non-EV) certs issued in the same hierarchy. > How would the browser decide when to invoke this rule? > How would the browser discern a CA hierarchy in which both EV and non-EV > certs are accepted from one in which only EV (or only non-EV) certs were > to be accepted? I'm not proposing we do this, but consider the following: We have a new "EV SSL trust bit" to accompany the existing SSL trust bit and the existing EV policy OID mechanism. For a given end-entity SSL certificate, we do path processing and checking of any policy OIDs present, and determine whether the cert is a valid EV cert or not. If it's an EV cert then we check to verify that the EV SSL trust bit is on., and reject it if not. If it's a non-EV cert then we check the regular SSL trust bit instead. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
