On 01/12/2009 01:20 PM, Rob Stradling:
The "Entrust.net Secure Server Certification Authority" is used for legacy ubiquity only. Entrust and SecureTrust (aka Trustwave) have different EV Certificate Policy OIDs. https://www.securetrust.com only gets the EV UI in FF3 (and other EV-capable browsers) because the "SecureTrust CA" self-signed Root Certificate is enabled for EV.
I can't find the SecureTrust CA request for enabling EV. It's not on the pending list, not on the included list, nor could I find bug for it... anybody know where the paper trail is for this CA?
That's why Larry says "Verified by: SecureTrust Corporation", rather than "Verified by: Entrust, Inc." for https://www.securetrust.com.
I'm almost certain that the "Verified by" usually lists the last CA certificate in the chain. At least for regular SSL certs.
I disagree. Section 7 says that "EV Subordinate CA Certificates" may exist, and it imposes some restrictions relating to Certificate Policy OIDs. But it does not say that "Root CA Certificates" should not be used for issuing end-entity EV Certificates. In fact, it says... "The Application Software Vendor identifies Root CAs that are approved to issue EV Certificates..." ...which surely cannot mean "Root CAs are not approved to issue EV Certificates" !
Than this is another issue to suggest change. Perhaps I wanted it to read that EV roots which are approved to issue EV certs, but issuing from intermediate - as most CAs actually have done so. That includes Verisign (most notable) which transitioned to issuing from intermediate's a while ago. Mozilla doesn't enable intermediate CAs, it enables roots, even if only one intermediate issues EV and the root never does directly.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
