As I understand, the EV SSL have two policy OID, one is the CABF EV OID, another one is the CA's EV OID, so the root key transfer doesn't have the EV OID transfer case, CA can't transfer its own EV OID to other CA exception the CA is full acquired.
So the policy can make clear that the root key transfer can't transfer the EV OID, the receiver must use its own EV policy OID for its EV SSL, the receiver can't use the transferor's EV OID. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Gervase Markham via dev-security-policy Sent: Thursday, March 9, 2017 12:21 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Google Trust Services roots Having gained a good understanding of Peter and Ryan's positions, I think I am now in a position to evaluate Peter's helpful policy suggestions. Whether or not we decide to make updates, as Kathleen pronounced herself satisfied at the time with Google's presented documentation and migration plan, it would be unreasonable for us to retroactively censure Google for following that plan. On 09/02/17 22:55, Peter Bowen wrote: > Policy Suggestion A) When transferring a root that is EV enabled, it > should be clearly stated whether the recipient of the root is also > receiving the EV policy OID(s). I agree with this suggestion; we should update https://wiki.mozilla.org/CA:RootTransferPolicy , and eventually incorporate it into the main policy when we fix https://github.com/mozilla/pkipolicy/issues/57 . _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
