Hi Richard, That's not how Certificate Policy OIDs work - either in the specifications or in the Baseline Requirements. I'm also not aware of any program requiring what you describe.
Because of this, it's unclear to me, and I suspect many other readers, why you believe this is the case, or if you meant that it SHOULD be the case (for example, developing a new policy requirement), why you believe this. Perhaps you could share more details about your reasoning? On Wed, Mar 8, 2017 at 9:15 PM Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As I understand, the EV SSL have two policy OID, one is the CABF EV OID, > another one is the CA's EV OID, so the root key transfer doesn't have the > EV OID transfer case, CA can't transfer its own EV OID to other CA > exception the CA is full acquired. > > So the policy can make clear that the root key transfer can't transfer the > EV OID, the receiver must use its own EV policy OID for its EV SSL, the > receiver can't use the transferor's EV OID. > > Best Regards, > > Richard > > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy-bounces+richard= > wosign....@lists.mozilla.org] On Behalf Of Gervase Markham via > dev-security-policy > Sent: Thursday, March 9, 2017 12:21 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Google Trust Services roots > > Having gained a good understanding of Peter and Ryan's positions, I think > I am now in a position to evaluate Peter's helpful policy suggestions. > > Whether or not we decide to make updates, as Kathleen pronounced herself > satisfied at the time with Google's presented documentation and migration > plan, it would be unreasonable for us to retroactively censure Google for > following that plan. > > On 09/02/17 22:55, Peter Bowen wrote: > > Policy Suggestion A) When transferring a root that is EV enabled, it > > should be clearly stated whether the recipient of the root is also > > receiving the EV policy OID(s). > > I agree with this suggestion; we should update > https://wiki.mozilla.org/CA:RootTransferPolicy , and eventually > incorporate it into the main policy when we fix > https://github.com/mozilla/pkipolicy/issues/57 . > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy