Maybe I don’t say it clearly.
The EV SSL have two policy OID, one is the CABF EV OID, another one is the CA's EV OID, right? Check the EV SSL for www.symantec.com<http://www.symantec.com>, the CABF EV OID is 2.23.140.1.1, and the Symantec EV OID is 2.16.840.1.113733.1.7.23.6 And check www.gloabalsign.com<http://www.gloabalsign.com> EV SSL that no CABF EV OID, GlobalSign EV OID is 1.3.6.1.4.1.4146.1.1 What I mean is the GlobalSign EV OID 1.3.6.1.4.1.4146.1.1 is belong to GlobalSign that the browser can identity the EV SSL Issuer is GlobalSign, so Google can’t use this EV OID for its own EV SSL, Google must use its own EV OID for its EV SSL. So, no EV OID transfer issue for root key transfer. Best Regards, Richard From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, March 9, 2017 11:14 AM To: Gervase Markham <g...@mozilla.org>; Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Google Trust Services roots Hi Richard, That's not how Certificate Policy OIDs work - either in the specifications or in the Baseline Requirements. I'm also not aware of any program requiring what you describe. Because of this, it's unclear to me, and I suspect many other readers, why you believe this is the case, or if you meant that it SHOULD be the case (for example, developing a new policy requirement), why you believe this. Perhaps you could share more details about your reasoning? On Wed, Mar 8, 2017 at 9:15 PM Richard Wang via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: As I understand, the EV SSL have two policy OID, one is the CABF EV OID, another one is the CA's EV OID, so the root key transfer doesn't have the EV OID transfer case, CA can't transfer its own EV OID to other CA exception the CA is full acquired. So the policy can make clear that the root key transfer can't transfer the EV OID, the receiver must use its own EV policy OID for its EV SSL, the receiver can't use the transferor's EV OID. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard<mailto:dev-security-policy-bounces%2Brichard>=wosign....@lists.mozilla.org<mailto:wosign....@lists.mozilla.org>] On Behalf Of Gervase Markham via dev-security-policy Sent: Thursday, March 9, 2017 12:21 AM To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Google Trust Services roots Having gained a good understanding of Peter and Ryan's positions, I think I am now in a position to evaluate Peter's helpful policy suggestions. Whether or not we decide to make updates, as Kathleen pronounced herself satisfied at the time with Google's presented documentation and migration plan, it would be unreasonable for us to retroactively censure Google for following that plan. On 09/02/17 22:55, Peter Bowen wrote: > Policy Suggestion A) When transferring a root that is EV enabled, it > should be clearly stated whether the recipient of the root is also > receiving the EV policy OID(s). I agree with this suggestion; we should update https://wiki.mozilla.org/CA:RootTransferPolicy , and eventually incorporate it into the main policy when we fix https://github.com/mozilla/pkipolicy/issues/57 . _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy