This issue is presented for resolution in the next version of the Mozilla Root Store Policy. It is related to Issue #147 <https://github.com/mozilla/pkipolicy/issues/147> (previously posted for discussion on this list on 6-Oct-2020).
Possible language is presented here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/c1acc76ad9f05038dc82281532fb215d71d537d4 In addition to replacing "if issuing EV certificates" with "if capable of issuing EV certificates" in two places -- for WebTrust and ETSI audits -- it would be followed by "(i.e. a subordinate CA under an EV-enabled root that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and a certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID)." Thus, Mozilla considers that a CA is capable of issuing EV certificates if it is (1) a subordinate CA (2) under an EV-enabled root (3) that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and (4) a certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID. I look forward to your suggestions. Thanks, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
