On Sep 10, 6:29 pm, "Wan-Teh Chang" <[EMAIL PROTECTED]> wrote: <snip> > I wrote the current code in net/base/ev_root_ca_metadata.cc before > someone told me about a paper that reverse-engineered the EV > policy OID metadata built in to the Windows system certificate > store:http://www.keyon.ch/de/News/Faking%20Extended%20Validation%20SSL%20Ce... > > I'm planning to rewrite our code to use the Windows built-in EV > policy OID metadata following the info in that paper, but haven't > got around to that.
If you do remove Chrome's own list of EV Policy OIDs and use the Windows list instead... What will the Linux and Mac versions do, given that Mozilla's list of EV Policy OIDs is in PSM, not NSS ? Perhaps Chrome should retain its own list of EV Policy OIDs, which could be shared cross-platform. Or perhaps, Wan-Teh, you could ask Nelson, Kai et al to move Mozilla's list from PSM into NSS and then use that. > I'd appreciate it if you could send us the instructions, or just confirm > that the info on how to get the EV policy OID metadata in that > paper is correct. AFAIK, that paper's analysis is correct. Chrome on Windows could potentially download (regularly) authrootstl.cab from Microsoft's servers (or, better still, check (regularly) the copy that Windows has already downloaded) and parse it to discover the EV Policy OID metadata. By the way, if there is any CryptoAPI function that allows you to extract the EV Policy OID data directly from the local Windows Trusted Root Certificate Store, I would advise you to *not* use it. On Windows XP, the metadata (including any EV Policy OIDs) for a Root Certificate that is already present in the local Windows Trusted Root Certificate Store is *not* updated when it changes in a new version of authroot.stl. This means that most Windows XP boxes do not trust certain Root Certificates for EV, even though authroot.stl and all Windows Vista boxes do! Speaking from a CA's point-of-view, I'd like to see only 1 list of EV Policy OIDs for Chrome across all platforms, and the Microsoft and Mozilla lists are not synchronized. My preferred solution would be to get Mozilla's list of EV Policy OIDs moved from PSM to NSS, and for Chrome on Windows, Linux and Mac to all use NSS as the crypto library, root certificate store and EV Policy OID list. > Wan-Teh --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~----------~----~----~----~------~----~------~--~---
