Frank Hecker wrote: > The proposal for EV testing, as I understand it, is to add the CA > certificate for PCA3 G5 to the NSS root list, and to mark it with the > associated EV metadata. Then when the Firefox 3 beta releases encounter > a certificate issued from either of the two VeriSign EV subordinate CAs, > the chain processing will stop at PCA G5 (instead of continuing on to > PCA G1). The EV metadata stored for PCA G5 will then cause NSS and PSM > to treat the end-entity cert in question as an EV cert, and Firefox will > present the EV UI. > > Note that I think that at least some other CAs are planning to take a > similar approach to incorporating EV certs into their hierarchy, i.e., > introducing a new EV "root" signed by an existing root. My understanding > is that the certificate path processing in these cases can get tricky > because there two valid paths (up to the existing root and up to the new > EV "root"); hence the need to get some good testing of these scenarios > well before Firefox 3 final release Yes, this would be the technical question which I mentioned earlier. In this scenario, is it a requirement to have the (EV anabled) CA certificate in NSS or are there other indicators which could make NSS aware of it?
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto