On 09/03/17 02:15, Richard Wang wrote: > So the policy can make clear that the root key transfer can't > transfer the EV OID, the receiver must use its own EV policy OID for > its EV SSL, the receiver can't use the transferor's EV OID.
We could indeed write this into the policy, but it would have the effect of stopping the receiver of the root from issuing EV certs until the updated root store with the new policy OID mapping was in all Firefoxes. Given that OIDs are just opaque identifiers, it seems unnecessary to require this. What security or other problem is caused if e.g. Google were to use an EV OID originally used by (or still used by) GlobalSign, assuming the two companies agreed that was OK? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy