Eddy Nigg (StartCom Ltd.) wrote: > Perhaps in that case email addresses MUST not be included in server > certificates and extended key usage MUST be present and NOT include > E-mail protection. I'm not 100% sure about any requirement in that > respect and/or if additional key usage (such as Key/Data Encipherment, > Email protection) may be present or not. Or if there is a explicit > requirement either way to make sure these certificates can't be use for > email.
Appendix C of the EV guidelines contains requirements relating to EV certificate extensions. For subscriber certificates extendedKeyUsage is *not* required, and not mentioned explicitly in the guidelines; even keyUsage is optional. If keyUsage is present, the only requirement is that it *not* include keyCertSign and cRLSign; nothing is mentioned about keyEncipherment, etc. The EV guidelines reference RFC 3280 as the guiding document on matters not addressed in the EV guidelines themselves. Section 4.2.1.7 of RFC 3280 allows (and recommends that) email addresses to be included in a certificate using the subjectAltName extension; it also says Because the subject alternative name is considered to be definitively bound to the public key, all parts of the subject alternative name MUST be verified by the CA. Note that this requirement applies no matter what the values of keyUsage or extendedKeyUsage happen to be. So my interpretation is as follows: Nothing in the EV guidelines mandates that email addresses be included in an EV SSL certificate, and nothing in the EV guidelines prohibits email addresses from being included in an EV SSL certificate. However if email addresses *are* included in an EV SSL certificate, then the EV guidelines implicitly require that they must be verified by the CA. This is a consequence of the EV guidelines' requirement in Appendix B that EV certificate fields and extensions not specified in the EV guidelines must be set in accordance with RFC 3280. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
