Richard, I'm afraid a few things are confused here.
First, a single CA Operator may have multiple roots in the browser trust list. Each root may list one or more certificate policies that map to the EV policy. Multiple roots that follow the same policy may use the same policy IDs and different roots from the same operator may use different policies. For example, I see the following in the Microsoft trust list: CN=CA 沃通根证书,O=WoSign CA Limited,C=CN CN=Class 1 Primary CA,O=Certplus,C=FR CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN each of these has one EV mapped policy: 1.3.6.1.4.1.36305.2 CN=AffirmTrust Commercial,O=AffirmTrust,C=US has policy 1.3.6.1.4.1.34697.2.1 mapped to EV CN=AffirmTrust Networking,O=AffirmTrust,C=US has policy 1.3.6.1.4.1.34697.2.2 mapped to EV CN=AffirmTrust Premium,O=AffirmTrust,C=US has policy 1.3.6.1.4.1.34697.2.3 mapped to EV CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US has policy 1.3.6.1.4.1.34697.2.4 mapped to EV All of these are from the same company but each has their own policy identifier. The information on "Identified by <something>" in Microsoft's browsers comes from the "Friendly Name" field in the trust list. For example the friendly name of CN=Class 1 Primary CA,O=Certplus,C=FR is "WoSign 1999". For something like the AffirmTrust example, they could easily sell one root along with the exclusive right to use that root's EV OID without impacting their other OIDs. Does that make sense? Thanks, Peter On Wed, Mar 8, 2017 at 8:44 PM, Richard Wang via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > I don’t think so, please check this page: > https://cabforum.org/object-registry/ that listed most CA’s EV OID, and all > browsers ask for the CA’s own EV OID when applying inclusion and EV enabled. > So, as I understand that the browser display EV green bar and display the > “Identified by CA name” is based on this CA’s EV OID. > > > > I don’t think Symantec have the reason to use GlobalSign EV OID in its EV SSL > certificate, why Symantec don’t use his own EV OID? If Symantec issued a EV > SSL using GlobalSign's EV OID, I think IE browser will display this EV SSL is > identified by GlobalSign, not by Symantec. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
