On Monday 12 January 2009 12:10:17 Eddy Nigg wrote: > On 01/12/2009 01:20 PM, Rob Stradling: > > The "Entrust.net Secure Server Certification Authority" is used for > > legacy ubiquity only. Entrust and SecureTrust (aka Trustwave) have > > different EV Certificate Policy OIDs. https://www.securetrust.com only > > gets the EV UI in FF3 (and other EV-capable browsers) because the > > "SecureTrust CA" self-signed Root Certificate is enabled for EV. > > I can't find the SecureTrust CA request for enabling EV. It's not on the > pending list, not on the included list, nor could I find bug for it... > anybody know where the paper trail is for this CA?
https://bugzilla.mozilla.org/show_bug.cgi?id=409837 > > That's why Larry says "Verified by: SecureTrust Corporation", rather > > than "Verified by: Entrust, Inc." for https://www.securetrust.com. > > I'm almost certain that the "Verified by" usually lists the last CA > certificate in the chain. At least for regular SSL certs. Ah yes, you may well be right. I was probably thinking of IE7's equivalent behaviour. In any case, if you compare the EV Policy OIDs mentioned in Bug #409837 (SecureTrust) and Bug #416544 (Entrust) with the EV Policy OID in the site certificate for www.securetrust.com, you'll see that it's the "SecureTrust CA" which gives that site the EV UI. > > I disagree. Section 7 says that "EV Subordinate CA Certificates" may > > exist, and it imposes some restrictions relating to Certificate Policy > > OIDs. But it does not say that "Root CA Certificates" should not be used > > for issuing end-entity EV Certificates. In fact, it says... > > "The Application Software Vendor identifies Root CAs that are approved to > > issue EV Certificates..." > > ...which surely cannot mean "Root CAs are not approved to issue EV > > Certificates" ! > > Than this is another issue to suggest change. Perhaps I wanted it to > read that EV roots which are approved to issue EV certs, but issuing > from intermediate - as most CAs actually have done so. That includes > Verisign (most notable) which transitioned to issuing from > intermediate's a while ago. Mozilla doesn't enable intermediate CAs, it > enables roots, even if only one intermediate issues EV and the root > never does directly. Just because VeriSign use Intermediates for EV, I don't think that means that Mozilla should require CAs such as SecureTrust to do the same. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
