- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 13 Aug 2007 17:43:36 +0200
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org, Pete.Palmer@wellsfargo.com, peltond@wellsfargo.com, Peri.Drucker@wellsfargo.com
On 2007-08-13 15:48:20 +0100, Stephen Farrell wrote: > I'm a bit confused here. Isn't it a requirement for EV-like > behaviour that the root-cert/trust-anchor is the thing that is > marked? Otherwise, any old CA could insert the OID without having > signed up to anything. My read of what we've been told so far is that (a) the CA is designated through an out-of-band process, and (b) an extension shows up somewhere. I don't know whether that's on the entity certificate (in which case an EV-designated CA could issue non-EV certs), on the trust anchor, or on some intermediary cert. My suspicion is that the extension is on the entity certificate. Waiting for the EV folks to confirm or deny. ;-) -- Thomas Roessler, W3C <tlr@w3.org>
Received on Monday, 13 August 2007 15:43:39 UTC