W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: EV-cert: "issuer-specific extension OID"?!

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Tue, 31 Jul 2007 18:55:16 -0400
Message-ID: <46AFBDD4.6080103@cs.cmu.edu>
To: "Yngve N. Pettersen" <yngve@opera.com>, pbaker@verisign.com, public-wsc-wg@w3.org

I was also looking into this earlier.  From what I gather by reading the
sources of VeriSign's extension for Firefox (I suspect Phill can
confirm), the OIDs are stored statically in the browser (or the
extension in this case).  I assume inclusion is determined solely at the
discretion of the browser vendor.

I suspect the EV cabal chose to do it this way, rather than creating a
new EV extension, so that other CAs couldn't simply get users to add new
EV roots to their browsers manually.  Of course this threat model still
exists if browsers allow extensions to create similar or identical EV
indicators.


serge

Thomas Roessler wrote:
> In other words, we're not dealing with a machine-readable property
> of trust anchors, but with an property essentially signalled
> out-of-band.
> 
> Doesn't strike me as particularly scalable, and I suspect Stephen
> will have comments on Monday. :)
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Tuesday, 31 July 2007 22:56:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT