A claim was made that EV certs don't require extended key usage, but
allow Signing, Key Encipherment, Data Encipherment in the basic key
usage field. Additionally email addresses presented in EV certs don't
have to be validated.
From the technical aspect, if no extended key usage like email
protection or authentication is included in the certificate, signing and
encryption for email can be used (provided the basic key usage has the
required Signing, Key Encipherment, Data Encipherment are set). If
extended key usage exists, then only according to the set extensions
(i.e. requires email protection). Mozilla (in particular Thunderbird)
handles this as expected.
I'm somewhat surprised by both claims above, but a quick search through
the EV guidelines revealed nothing in that respect to positively deny
the claims. Can somebody else have also a look at this? In case the
claims are correct and email address fields are allowed or required for
EV SSL server certificates and *no* extended key usage is set *and*
validation of the email address does not have to be performed, I suggest
to take this to the CAB forum urgently!
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
