On Sat, Aug 23, 2008 at 5:32 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > I was going through bugzilla, looking to see if anyone had added a > request for a centralized database of locally-installed root > certificates to be loaded as an additional crypto module, and I came > across bug 430856. I have a couple of comments, even though the bug > has been marked "resolved invalid". > > First: RFC3280 has been obsoleted by RFC5280. Which standard is > being written to and tested against, and if it's the obsolete one, > why?
RFC 5280 is dated May 2008. Bug 430856 was opened on 2008-04-25 and resolved on 2008-05-11. RFC 3280 wasn't obsolete at that time. Right now we are following RFC 5280. > Second: EV certificates. I don't believe that there's an explicit > "inhibit AnyPolicy" that's set in any of the EV certificates or > certificates issued by EV certificates, but I have some problems with > allowing AnyPolicy to map to EV. EV is, by definition, a > commonly-agreed-on policy for issuance of certificates. Allowing > AnyPolicy to map to it allows for a grievous error, either > operationally or malfeasance. (Then again, I also tend to think that > "AnyPolicy" is a horrible, horrible problem in the first place. I > don't think there's any way for a policy creator to say "I don't want > this policy to map to AnyPolicy", since trust flows down from the > anchor, not up from the leaves.) > > I know that there was someone from MoFo that went to the CAB forum. > To this person I ask: Does the EV guideline have a policy OID assigned > to it? If not, why not? AnyPolicy: the EV guideline says the AnyPolicy OID can only be used in the certificates for the intermediate CAs controlled by the root CA. The end server certificates must contain an EV policy OID of the root CA (see below). EV policy OID: each root CA has its own EV policy OIDs. http://en.wikipedia.org/wiki/Extended_Validation_Certificate#Extended_Validation_certificate_identification http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp#71 Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
