Hi Richard,

That's not how Certificate Policy OIDs work - either in the specifications
or in the Baseline Requirements. I'm also not aware of any program
requiring what you describe.

Because of this, it's unclear to me, and I suspect many other readers, why
you believe this is the case, or if you meant that it SHOULD be the case
(for example, developing a new policy requirement), why you believe this.

Perhaps you could share more details about your reasoning?

On Wed, Mar 8, 2017 at 9:15 PM Richard Wang via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> As I understand, the EV SSL have two policy OID, one is the CABF EV OID,
> another one is the CA's EV OID, so the root key transfer doesn't have the
> EV OID transfer case, CA can't transfer its own EV OID to other CA
> exception the CA is full acquired.
>
> So the policy can make clear that the root key transfer can't transfer the
> EV OID, the receiver must use its own EV policy OID for its EV SSL, the
> receiver can't use the transferor's EV OID.
>
> Best Regards,
>
> Richard
>
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-bounces+richard=
> wosign....@lists.mozilla.org] On Behalf Of Gervase Markham via
> dev-security-policy
> Sent: Thursday, March 9, 2017 12:21 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Google Trust Services roots
>
> Having gained a good understanding of Peter and Ryan's positions, I think
> I am now in a position to evaluate Peter's helpful policy suggestions.
>
> Whether or not we decide to make updates, as Kathleen pronounced herself
> satisfied at the time with Google's presented documentation and migration
> plan, it would be unreasonable for us to retroactively censure Google for
> following that plan.
>
> On 09/02/17 22:55, Peter Bowen wrote:
> > Policy Suggestion A) When transferring a root that is EV enabled, it
> > should be clearly stated whether the recipient of the root is also
> > receiving the EV policy OID(s).
>
> I agree with this suggestion; we should update
> https://wiki.mozilla.org/CA:RootTransferPolicy , and eventually
> incorporate it into the main policy when we fix
> https://github.com/mozilla/pkipolicy/issues/57 .
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to