On Monday 12 January 2009 11:00:59 Eddy Nigg wrote: > On 01/12/2009 12:45 PM, Rob Stradling: > > "and required by EV" ? > > > > Eddy, the EV Guidelines impose certain requirements on Intermediate CAs > > *when* they are used, but AFAIK they don't mandate that Intermediate CAs > > MUST be used. > > > > Visit https://www.securetrust.com in FF3 for an example of an EV-enabled > > Root Certificate (CN = SecureTrust CA) that issues EV SSL Certificates > > without involving any Intermediate CA(s) in the certificate chain. > > Did just that....and this site's certificate is signed by "SecureTrust > CA" which chains to "Entrust.net Secure Server Certification Authority".
The "Entrust.net Secure Server Certification Authority" is used for legacy ubiquity only. Entrust and SecureTrust (aka Trustwave) have different EV Certificate Policy OIDs. https://www.securetrust.com only gets the EV UI in FF3 (and other EV-capable browsers) because the "SecureTrust CA" self-signed Root Certificate is enabled for EV. That's why Larry says "Verified by: SecureTrust Corporation", rather than "Verified by: Entrust, Inc." for https://www.securetrust.com. > But besides that, it's perhaps not clearly defined in the EV Guidelines, > but section 7 suggests that there are no roots issuing directly. I disagree. Section 7 says that "EV Subordinate CA Certificates" may exist, and it imposes some restrictions relating to Certificate Policy OIDs. But it does not say that "Root CA Certificates" should not be used for issuing end-entity EV Certificates. In fact, it says... "The Application Software Vendor identifies Root CAs that are approved to issue EV Certificates..." ...which surely cannot mean "Root CAs are not approved to issue EV Certificates" ! -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
