Yes, it means the two companies used the same policy for issuance - as identified by that policy. Did you read the ETSI materials I suggested you do? Perhaps this would make it easier for you.
I don't think encouraging a CA to misissue - which if you read other people's replies, you would see Ryan identified it as misissuance (but not for the reasons you note), is productive. Misissuing is very bad, as you hopefully know. If two certificates, from different organizations, have the same policy OID, it means they were issued in whatever manner necessary to comply with that OID at the time they were issued. And that's perfectly ok and not at all prohibited. If your worried that GlobalSign's policy might describe GlobalSign-only things, then you're forgetting GlobalSign can update their policy at any time. Just like we use the same CABF EV OID despite the policies for EV changing every time we update the EVG, at any point GlobalSign could indicate their EV OID "just" means following the EVGs, which any organization that is trusted to issue certificates can do at any time. On Thu, Mar 9, 2017 at 1:14 AM Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Why we setup one EV OID for all roots is that we use the same policy for > all EV SSL certificate no matter it is issued by which root. The policy OID > is unique ID > > If Google use the GlobalSign EV OID, and GlobalSign also use this EV OID, > this means two companies use the same policy? > > It is better to do a test: Google issue a EV SSL certificate from this > acquired root using the GlobalSign EV OID, then check every browser's UI > display info, to check if that info will confuse the browser users. > > > Best Regards, > > Richard > > -----Original Message----- > From: Peter Bowen [mailto:pzbo...@gmail.com] > Sent: Thursday, March 9, 2017 1:11 PM > To: Richard Wang <rich...@wosign.com> > Cc: Ryan Sleevi <r...@sleevi.com>; Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Google Trust Services roots > > Richard, > > I'm afraid a few things are confused here. > > First, a single CA Operator may have multiple roots in the browser trust > list. Each root may list one or more certificate policies that map to the > EV policy. Multiple roots that follow the same policy may use the same > policy IDs and different roots from the same operator may use different > policies. > > For example, I see the following in the Microsoft trust list: > > CN=CA 沃通根证书,O=WoSign CA Limited,C=CN > CN=Class 1 Primary CA,O=Certplus,C=FR > CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN CN=CA WoSign > ECC Root,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign > G2,O=WoSign CA Limited,C=CN each of these has one EV mapped policy: > 1.3.6.1.4.1.36305.2 > > CN=AffirmTrust Commercial,O=AffirmTrust,C=US has policy > 1.3.6.1.4.1.34697.2.1 mapped to EV > CN=AffirmTrust Networking,O=AffirmTrust,C=US has policy > 1.3.6.1.4.1.34697.2.2 mapped to EV > CN=AffirmTrust Premium,O=AffirmTrust,C=US has policy > 1.3.6.1.4.1.34697.2.3 mapped to EV > CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US has policy > 1.3.6.1.4.1.34697.2.4 mapped to EV > All of these are from the same company but each has their own policy > identifier. > > The information on "Identified by <something>" in Microsoft's browsers > comes from the "Friendly Name" field in the trust list. For example the > friendly name of CN=Class 1 Primary CA,O=Certplus,C=FR is "WoSign 1999". > > For something like the AffirmTrust example, they could easily sell one > root along with the exclusive right to use that root's EV OID without > impacting their other OIDs. > > Does that make sense? > > Thanks, > Peter > > On Wed, Mar 8, 2017 at 8:44 PM, Richard Wang via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > I don’t think so, please check this page: > https://cabforum.org/object-registry/ that listed most CA’s EV OID, and > all browsers ask for the CA’s own EV OID when applying inclusion and EV > enabled. So, as I understand that the browser display EV green bar and > display the “Identified by CA name” is based on this CA’s EV OID. > > > > > > > > I don’t think Symantec have the reason to use GlobalSign EV OID in its > EV SSL certificate, why Symantec don’t use his own EV OID? If Symantec > issued a EV SSL using GlobalSign's EV OID, I think IE browser will display > this EV SSL is identified by GlobalSign, not by Symantec. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
