Hmmm... actually, it would be possible, but only with the cooperation of the CAs.
We currently know the EV policy OIDs for EV-enabled roots. What we don't know is the policy OIDs assigned for different types of validation, or the Subject names used by different CAs for DV certificates. If we could get those, it would be a start in being able to pass information up. Granted, this starts getting into the PolicyMapping extensions defined in PKIX... a given subCA would have to define its own Policy OIDs for its own validation performance, and the parent CA would have to include a PolicyMapping of some kind from its DV OID to the subCA's OID. (There doesn't appear to be any means of stating that a given subCA is ONLY authorized to issue certificates with a single policy, for those that are designed for DV issuance only... but I could be wrong. Anyone?) -Kyle H On Tue, Dec 30, 2008 at 5:59 PM, Daniel Veditz <dved...@mozilla.com> wrote: > Frank Hecker wrote: >> (It's not 100% clear to me how they distinguish DV certs from OV >> certs, so I'd take this last figure with a grain of salt.) > [...] >> In practice we have a de facto differentiation between EV certs and >> all other certs, as embodied in the Firefox UI. > > If Firefox could reliably distinguish between DV and OV certs I'd love > to see some UI difference there, too, and so would some of the Firefox > UI folks I've talked to. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto