Eddy Nigg (StartCom Ltd.) wrote: > Now, I have no clue how this is going to work and perhaps Nelson can > give us some more information....example: If AddTrust is going to be > upgraded to an EV root, is any sub ordinated CA potentially an EV CA?
I haven't yet looked in detail at the Network Solutions request (I'll be doing that this week), but I can at least comment on the general case of the question I think you're asking. If a given root CA is approved for EV use, then my understanding is that the root CA in question can enable one of its subordinate CAs to issue EV certs by doing one of two things: 1. If the subordinate CA is not directly controlled by the root CA (e.g., it's operated by a third party under some sort of agreement with the root CA's operator), then the root CA has to include a certificatePolicies extension in the subordinate CA's certificate, with the policy OID having the exact value of the EV OID associated with the root. (In other words, if the root's EV OID is 1.2.3.4, then then the policy OID set in the subordinate CA certificate has to be 1.2.3.4 as well.) 2. If the subordinate CA is directly controlled by the root CA (e.g., the root CA's operator is using a combination of an off-line root and an online subordinate to do the actual issuing), then alternatively the root CA can set the policy OID in the subordinate CA's certificate to a special "anyPolicy" value (2.5.29.32.0). (The above is paraphrased from page 11 of the EV guidelines.) So the bottom line is that if a root CA is approved for EV, its subordinate CAs do *not* automatically gain the ability to issue EV certificates. Instead the root CA has to specifically enable a given subordinate to be "EV-capable", by issuing it a CA certificate with the necessary EV policy OID(s) included. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
