Frank Hecker:
I just looked at the latest EV guidelines, doing a search for various
email-related terms (e.g., "email", "e-mail", "RFC 822", "rfc822", etc.)
and also reading section C in detail. As far as I can tell, the
guidelines do not mention email addresses in any context relating to the
content of certificates. There certainly does *not* appear to be any
EV-related requirement that email addresses be included in EV certificates.
Yes, that's about as far as I got....similar conclusion.
I also looked at real-life examples of EV certificates from several CAs.
None included an email address. Where present, the Certificate KeyUsage
extension had values of Signing and Key Encipherment, and the Extended
Key Usage extension had values of TLS Web Server Authentication and TLS
Web Client Authentication. (One certificate also included the Netscape
Certificate Type extension with values SSL Client Certificate
and SSL Server Certificate.)
Perhaps in that case email addresses MUST not be included in server
certificates and extended key usage MUST be present and NOT include
E-mail protection. I'm not 100% sure about any requirement in that
respect and/or if additional key usage (such as Key/Data Encipherment,
Email protection) may be present or not. Or if there is a explicit
requirement either way to make sure these certificates can't be use for
email. Apparently the representative of DigiNotar claimed that this
might be the case (or they don't follow the EV guidelines correctly
which would be a different problem).
I suggest to consult with the CAB forum about what exactly must be or
shouldn't be in case we can't reach a conclusion by ourselves.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
