Frank Hecker wrote:
Check out this page: http://www.mozilla.org/projects/security/certs/included/Eddy Nigg (StartCom Ltd.) wrote:Yes, this would be the technical question which I mentioned earlier. In this scenario, is it a requirement to have the (EV anabled) CA certificate in NSS or are there other indicators which could make NSS aware of it?I think the issue is that the CA cert in question (VeriSign PCA3 G5) needs to be both specifically known to NSS (i.e., preloaded) and also marked with EV metadata (i.e., the associated EV policy OID). Otherwise the CA cert will be unknown to NSS, and NSS will treat it as an intermediate CA cert chaining up to a separate known root (PCA3 G1).Note that the VeriSign case is distinct from the case where an existing root CA cert is simply marked with EV metadata. I don't know which (if any) CAs plan to take this approach.
It seems there are some CAs which would issue from an EV enabled root. --Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
