On 12/11/2020 10:41 π.μ., Dimitris Zacharopoulos via dev-security-policy
wrote:
Finally, I would like to highlight that policy OID chaining is not
currently supported in the webPKI by Browsers, so even if a CA adds a
particular non-EV policyOID in an Intermediate CA Certificate, this
SubCA would still be technically capable of issuing an end-entity
certificate asserting an EV policy OID, and that certificate would
probably get EV treatment from existing browsers. Is this correct?
I see that this is related to
https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla
Firefox does not enable "EV Treatment" if an Intermediate CA Certificate
does not assert the anyPolicy or the CA's EV policy OID, including the
CA/B Forum EV OID, regardless of what the end-entity certificate asserts.
Dimitris.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy