I was going through bugzilla, looking to see if anyone had added a request for a centralized database of locally-installed root certificates to be loaded as an additional crypto module, and I came across bug 430856. I have a couple of comments, even though the bug has been marked "resolved invalid".
First: RFC3280 has been obsoleted by RFC5280. Which standard is being written to and tested against, and if it's the obsolete one, why? Second: EV certificates. I don't believe that there's an explicit "inhibit AnyPolicy" that's set in any of the EV certificates or certificates issued by EV certificates, but I have some problems with allowing AnyPolicy to map to EV. EV is, by definition, a commonly-agreed-on policy for issuance of certificates. Allowing AnyPolicy to map to it allows for a grievous error, either operationally or malfeasance. (Then again, I also tend to think that "AnyPolicy" is a horrible, horrible problem in the first place. I don't think there's any way for a policy creator to say "I don't want this policy to map to AnyPolicy", since trust flows down from the anchor, not up from the leaves.) I know that there was someone from MoFo that went to the CAB forum. To this person I ask: Does the EV guideline have a policy OID assigned to it? If not, why not? -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
