Eddy Nigg (StartCom Ltd.) wrote: > Yes, this would be the technical question which I mentioned earlier. In > this scenario, is it a requirement to have the (EV anabled) CA > certificate in NSS or are there other indicators which could make NSS > aware of it?
I think the issue is that the CA cert in question (VeriSign PCA3 G5) needs to be both specifically known to NSS (i.e., preloaded) and also marked with EV metadata (i.e., the associated EV policy OID). Otherwise the CA cert will be unknown to NSS, and NSS will treat it as an intermediate CA cert chaining up to a separate known root (PCA3 G1). Note that the VeriSign case is distinct from the case where an existing root CA cert is simply marked with EV metadata. I don't know which (if any) CAs plan to take this approach. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
