As my understanding, if WoSign buy an trusted EV enabled root key with EV OID today, then we can issue WoSign EV SSL cert using this EV OID tomorrow, the browser will display EV green bar. Right? If right, we like this policy, thanks.
Best Regards, Richard > On 9 Mar 2017, at 19:51, Gervase Markham <g...@mozilla.org> wrote: > >> On 09/03/17 02:15, Richard Wang wrote: >> So the policy can make clear that the root key transfer can't >> transfer the EV OID, the receiver must use its own EV policy OID for >> its EV SSL, the receiver can't use the transferor's EV OID. > > We could indeed write this into the policy, but it would have the effect > of stopping the receiver of the root from issuing EV certs until the > updated root store with the new policy OID mapping was in all Firefoxes. > Given that OIDs are just opaque identifiers, it seems unnecessary to > require this. > > What security or other problem is caused if e.g. Google were to use an > EV OID originally used by (or still used by) GlobalSign, assuming the > two companies agreed that was OK? > > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
