- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 13 Aug 2007 13:13:10 -0400
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org, Pete.Palmer@wellsfargo.com, peltond@wellsfargo.com, Peri.Drucker@wellsfargo.com
The nice thing about Firefox extensions is that you can read the source on most of them. I read through the source of the one VeriSign released to make the bar turn green in IE; it has both the roots and the OIDs hard coded. I assume IE works in a similar way (storing both EV roots and OIDs somewhere away from other certs). From just a quick look, the only EV-designator I can see on the root is in the CN, implying that EV roots could be used to issue non-EV certs (assuming they exclude the magic number, err, OID). serge Thomas Roessler wrote: > On 2007-08-13 15:48:20 +0100, Stephen Farrell wrote: > >> I'm a bit confused here. Isn't it a requirement for EV-like >> behaviour that the root-cert/trust-anchor is the thing that is >> marked? Otherwise, any old CA could insert the OID without having >> signed up to anything. > > My read of what we've been told so far is that (a) the CA is > designated through an out-of-band process, and (b) an extension > shows up somewhere. I don't know whether that's on the entity > certificate (in which case an EV-designated CA could issue non-EV > certs), on the trust anchor, or on some intermediary cert. My > suspicion is that the extension is on the entity certificate. > > Waiting for the EV folks to confirm or deny. ;-) > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 13 August 2007 17:13:40 UTC